SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   LiteWeb Vendors:   Perception
LiteWeb Lets Remote Users Access Restricted Pages
SecurityTracker Alert ID:  1014096
SecurityTracker URL:  http://securitytracker.com/id/1014096
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 3 2005
Impact:   Disclosure of system information, Disclosure of user information, User access via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.5
Description:   Ziv Kamir from Global Security Solution IT reported a vulnerability in LiteWeb. A remote user can access ostensibly protected files on the target system.

A remote user can invoke the following type or URLs to access password-protected files on the target server without having to authenticate:

http://[target]/\admin\/login.html

http://[target]//admin//login.html

The vendor was notified on June 2, 2005.

Impact:   A remote user can access password-protected files on the target system.
Solution:   No solution was available at the time of this entry. The vendor plans to issue a fix in the next version.
Vendor URL:  www.cmfperception.com/liteweb.html (Links to External Site)
Cause:   Authentication error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  LiteWeb 2.5



02/06/05


====================================
 GSSIT - Global Security Solution IT
====================================		

-------------------------------------------------------

Application: LiteWeb Server
Web Site:    www.cmfperception.com
Versions:    2.5
Platform:    Windows 
Bug:         An access control vulnerability.
             
                           
Credits:
########

#########################################
#         ==  Ziv Kamir ==              #
#                                       #
# GSSIT - Global Security Solution IT   #                   
#                                       #
#     Email : gss_it@yahoo.com          #
#                                       #
#     Web   : www.gssit.co.il           #
#                                       #
#########################################

---------------------

1) Introduction
2) Bug
3) The Code
4) Fix


================
1) Introduction
================

LiteWeb is a powerful web server that handles multiple domains 
and supports PHP, Perl, MySQL, and much more. 


=======
2) Bug
=======

A remote user may obtain password-protected files on the server without having to authenticate. 


===========
3) The Code
===========

http://Target/\admin\/login.html

http://Target//admin//login.html


======
4) Fix
======

Date of Vendor Notification:
----------------------------

02/06/05

Response:
---------

02/06/05

It will be fixed in the next version.



==============================================================================================

                 *** The Data is for educational purpose only. *** 

          The information in this bulletin is provided "AS IS" without 
          warranty of any kind. In no event shall we be liable for any 
          damages whatsoever including direct, indirect, incidental, 
          consequential, loss of business profits or special damages. 

==============================================================================================
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC