SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Lil' HTTP Server Vendors:   Summit Computer Networks
Lil' HTTP Server Discloses Files Located Outside of the Web Document Directory to Remote Users and Allows Remote Users to Conduct Cross-site Scripting Attacks Against Administrators
SecurityTracker Alert ID:  1004123
SecurityTracker URL:  http://securitytracker.com/id/1004123
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 22 2002
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network
Exploit Included:  Yes  
Version(s): 2.2 and prior
Description:   Two vulnerabilities were reported in the Lil' HTTP Server. A remote user can traverse the directory to view files located outside of the web document directory. A remote user can also conduct cross-site scripting attacks against administrators.

SecuriTeam reported that a remote user can send a URL with '../' directory traversal characters to navigate the directory structure and view files on the server that are located outside of the web server document directory.

A demonstration exploit URL that will display the 'win.ini' file is provided:

http://[target]/../../windows/win.ini

The Lil' HTTP Server reportedly allows a remote user to conduct cross-site scripting attacks against server administrators. It is reported that a remote user can insert Javascript into the HTTP Referer tag and the server will record this information in the server log file without properly escaping the code. When an administrator views the log file, the code will be executed by the administrator's web browser. The code will apparently run in the local 'My Computer' security context. The code may be able to access sensitive data on the administrator's computer or could take certain web-based actions as the administrator.

A demonstration exploit request is provided:

GET / HTTP/1.0
Referer: <script>alert('vulnerable')</script>

SecuriTeam reports that this information has been provided by <mailto:mattmurphy@kc.rr.com> Matthew Murphy.

Impact:   A remote user can view files located on the same partition (disk drive) as the web server. A remote user can cause arbitrary Javascript to be executed on the administrator's browser when the administrator views the log file. This code will execute in the administrator's local My Computer zone.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.summitcn.com/lilhttp/lildocs.html (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [NT] Lil' HTTP Server Directory Traversal Vulnerability


The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -



  Lil' HTTP Server Directory Traversal Vulnerability
------------------------------------------------------------------------


SUMMARY

 <http://www.summitcn.com/lilhttp/lildocs.html> Lil' HTTP Server is a 
lightweight web server. The server has been found to contain a 
vulnerability that would allow attackers to climb up the directory 
structure and obtain access to files that reside outside the normally 
bounding HTML root directory.

DETAILS

Vulnerable systems:
Lil' HTTP Server version 2.2 and prior

Example:
Accessing the following URL:
http://[target]/../../windows/win.ini

Will return the win.ini file located under the Windows directory.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:mattmurphy@kc.rr.com> 
Matthew Murphy.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any kind. 
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business
 profits or special damages. 






 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC