SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Abyss Web Server Vendors:   Aprelium Technologies
Abyss Web Server Permits Brute Force Password Guessing on the Administrative Interface
SecurityTracker Alert ID:  1006091
SecurityTracker URL:  http://securitytracker.com/id/1006091
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 13 2003
Impact:   Host/resource access via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.1.2 and prior versions
Description:   A vulnerability was reported in the Abyss web server. A remote user can conduct brute force password guessing on the administrative interface.

A remote user can connect to the remote web management interface on port 9999 and can repeatedly attempt to guess the administrative password. According to the report, the server does not provide a delay and does not log the attempts.

Impact:   A remote user can repeatedly attempt to guess the administrative password without the attempt being logged by the server and without any delay between guessing attempts.
Solution:   No solution was available at the time of this entry. The vendor reportedly plans to include a fix in an updated version, to be released shortly.
Vendor URL:  www.aprelium.com/abyssws/index.html (Links to External Site)
Cause:   State error
Underlying OS:  Linux (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Abyss WebServer Brute Force Vulnerability




Abyss WebServer Brute Force Vulnerability

Package:		Abyss WebServer 
Vendor Web Site:	http://www.aprelium.com
Versions:		All versions <= v1.1.2
Platforms:		Linux, Windows
Local:			No
Remote:	         	Yes
Fix Available:		No(fix in progress)
Vendor Contacted:	Sunday, February 09, 2003 6:12 PM
Advisory Author:	thomas adams(tgadams@bellsouth.net)



Background:
Abyss Web Server is a free, easily configured web server designed for 
Windows and Linux operating systems. The vendor, Aprelium, targets small 
businesses and personal use with this "fast, small and easy to use" 
server. The main feature is a remote web management interface where a user 
can configure the server in a matter of minutes. 


Exploit:
By connecting to the remote web management interface at 
http://abyss_server:9999 an attacker can use a brute-force method to gain 
access to the server. There is no delay in a wrong attempt and attackers
are given an indefinite number of attempts at entering a valid user and 
password. Unlike the access.log file for port 80, Abyss has no logging for 
port 9999. This allows an attacker to perform unseen.


Vendor Response: 
Aprelium was notified and will soon release an updated version of the 
server to include a fix for the brute-force attack and logging of port 
9999. The vendor was also notified of several directories and files
having write priviledges. It was agreed that a user should set permissions 
themselves, but there is no documentation telling a user what has write 
access by default. Aprelium has also decided to add a fix for the default 
permissions of directories and files. 

	

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC