SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Abyss Web Server Vendors:   Aprelium Technologies
Abyss Web Server Directory Password Protection Can Be Bypassed
SecurityTracker Alert ID:  1008414
SecurityTracker URL:  http://securitytracker.com/id/1008414
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 8 2003
Impact:   User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): prior to 1.2
Description:   A vulnerability was reported in the Abyss Web Server when run on Linux with a FAT32 filesystem. A remote user can bypass password authentication to access restricted directories.

Luigi Auriemma reported that a remote user can supply a URL appended with an encoded '.' character (%2e) to bypass directory password protection.

Some demonstration exploit URLs are provided:

http://linux_server/protected_FAT32_dir.
http://linux_server/protected_FAT32_dir./
http://linux_server/protected_FAT32_dir%2e

The report states that the vendor indicates that the space character and the colon character may cause the same problem.

Impact:   A remote user can access directories that are ostensibly password protected.
Solution:   The vendor has released a fixed version (1.2), available at:

http://www.aprelium.com/abyssws/download.php

Vendor URL:  www.aprelium.com/abyssws/index.html (Links to External Site)
Cause:   Authentication error
Underlying OS:  Linux (Any)

Message History:   None.


 Source Message Contents

Subject:  http://aluigi.altervista.org/adv/abyss-dot-adv.txt


#######################################################################

                              Luigi Auriemma

Application:  Abyss webserver
               http://www.aprelium.com
Versions:     minors than 1.2
Platforms:    Linux version only
Bug:          Bypassing of password protected folders authorization on
               FAT32 filesystems
Risk:         medium
               (but rarely users use Linux to run a webserver on a FAT32
               partition)
Exploitation: remote through browser
Date:         08 Dec 2003
Author:       Luigi Auriemma
               e-mail: aluigi@altervista.org
               web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Abyss webserver is a nice and tiny free closed-source web server
developed for Win32, Linux x86, MacOS and FreeBSD platforms.



#######################################################################

======
2) Bug
======


The bug is a protection bypassing but it happens only on Linux when the
protected folder is on a FAT32 system. Probably is a bit unusual that
someone uses a webserver for Linux to share a FAT32 directory but Abyss
is very useful for fast configurations and for personal usages so
this is not a rare case (... in fact I have found this bug just because
I was sharing a FAT32 dir...).

Practically if the admin runs Linux and has a FAT32 directory protected
by password an attacker can bypass the authorization simply adding a
dot or an HTTP encoded dot (%2e) at the end of the URL.

The developers have reported that also the chars space (' ', %20) and
':' (%3a) cause the same problem (but on my system they cause only a
right 404 error).



#######################################################################

===========
3) The Code
===========


http://linux_server/protected_FAT32_dir.
http://linux_server/protected_FAT32_dir./
http://linux_server/protected_FAT32_dir%2e



#######################################################################

======
4) Fix
======


Version 1.2 released the 3th Dec 2003



#######################################################################


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC