SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   pWins Vendors:   Hallek, Timo
pWins Web Server Input Validation Flaw Discloses Files on the System to Remote Users
SecurityTracker Alert ID:  1005726
SecurityTracker URL:  http://securitytracker.com/id/1005726
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 28 2002
Impact:   Disclosure of system information, Disclosure of user information
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 0.2.5 and earlier
Description:   A vulnerability was reported in the pWins web server. A remote user can view files on the system located outside of the web document directory.

It is reported that a remote user can supply a URL containing unicode directory traversal characters to view arbitrary files on the system. A demonstration exploit (without the actual unicode encoding) is provided:

http://SomeWebServer/../../windows/repair/sam._

Impact:   A remote user can view arbitrary files on the system.
Solution:   No solution was available at the time of this entry. According to the report, a patch has been posted to the vendor's web site, but this patch may not fix the problem. The vendor is reportedly working on a fix for the pending version 0.2.8.
Vendor URL:  sourceforge.net/projects/pwins (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Underlying OS Comments:  Tested only on Windows

Message History:   None.


 Source Message Contents

Subject:  pWins Perl Web Server Directory Transversal Vulnerability


>From www.sourceforge.net/projects/pwins: "pWins is a webserver-software 
based on perl and ruby (not yet) code. My aim is to make it fast, small and 
secure, supporting cgi (perl, ruby) and php scripts. It's easy to install 
and configurate!"

versions: 0.2.5 and earlier, tested on Windows only..

description:
pWins allows directory transversal via unicode characters (%255, you know, 
nimda stuff).. If it's installed on the c drive, you can get to any file 
(ahem.. sam._) easily.. for example, 
http://SomeWebServer/../../windows/repair/sam._

no exploit provided because too trivial..

fix:
author has posted a patch in the Bugs section on sourceforge.net, but I've 
found that it breaks script processing because he forgot to escape the 
special characters (%)in his regular expressions.. line 247 of cgipl.pm (i 
think) search for url_check

or wait for version 0.2.8 due to be out soon..

Matt Wagenknecht
Security Administrator







_________________________________________________________________
The new MSN 8: smart spam protection and 2 months FREE*  
http://join.msn.com/?page=features/junkmail

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC