SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Abyss Web Server Vendors:   Aprelium Technologies
Aprelium's Abyss Web Server Discloses Directory Contents to Remote Users
SecurityTracker Alert ID:  1004870
SecurityTracker URL:  http://securitytracker.com/id/1004870
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 29 2002
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.0.3
Description:   Securiteinfo.com reported an information disclosure vulnerability in the Abyss Web Server. A remote user can view a list of files on the web server.

A remote user can reportedly send an HTTP GET request with more than 256 slashes ("/") to cause the server to display a list of all files in the specified directory.

Only the Windows versions of the server are affected.

Impact:   A remote user can view directory listings for web directories on the server.
Solution:   The vendor has released a fix version (1.0.7), available at:

http://www.aprelium.com/news/abws107tp.html

Vendor URL:  www.aprelium.com/news/abws107tp.html (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Abyss Web Server version 1.0.3 shows file and directory content



Abyss Web Server version 1.0.3 shows file and directory content


Abyss Web Server version 1.0.3 shows file and directory content
Discovered on 2002, June, 30th
Vendor: Aprelium

Abyss Web Server 1.0.3 is a free personal web server available for
Windows 
and Linux operating systems. This web server can show file and directory 
content. Only Windows version of Abyss is vulnerable.


When sending a GET request with more than 256 slashes ("/"), then the
server 
shows all files in the directory content. 
A hacker can see all hidden (non-HTML linked) files and directories on
the 
server.
This work only on Windows platforms. On Linux platform, this request is 
handled, and return a 414 (Request-URI Too Large) error.


The vendor has been informed and has solved the problem.
Download Abyss Web Server 1.0.7  at :
http://www.aprelium.com/news/abws107tp.html


Arnaud Jacques aka scrap
webmaster@securiteinfo.com
http://www.securiteinfo.com


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC