[12493] in bugtraq
Re: Eserv 2.50 Web interface Server Directory Traversal
daemon@ATHENA.MIT.EDU (Andrey Cherezov)
Tue Nov 9 12:25:03 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <010d01bf2a37$5d7ffce0$8314bac2@ac>
Date: Tue, 9 Nov 1999 00:19:36 +0200
Reply-To: Andrey Cherezov <andrey@CHEREZOV.KOENIG.SU>
From: Andrey Cherezov <andrey@CHEREZOV.KOENIG.SU>
X-To: Noam Rathaus <expert@securiteam.com>
To: BUGTRAQ@SECURITYFOCUS.COM
Hello!
It was surprise for me - Windows allow to open the file
with name "wwwroot\--\..\..\conf\Eserv.ini"
when folder "--" not exists. Seems this is Windows bug, not my,
but I forced to fix Eserv. (Already fixed in the Eserv build 2841)
Thank you again!
----- Original Message -----
From: Ussr Labs <labs@USSRBACK.COM>
To: <BUGTRAQ@SECURITYFOCUS.COM>
Sent: Friday, November 05, 1999 2:17 AM
Subject: Eserv 2.50 Web interface Server Directory Traversal Vulnerability
> Eserv 2.50 Web interface Server Directory Traversal Vulnerability
>
> Product:
>
> Eserv/2.50 is the complete solution to access Internet from LAN:
>
> - Mail Server (SMTP and POP3, with ability to share one mailbox
> on the ISP, aliases and mail routing support)
> - News Server (NNTP)
> - Web Server (with CGI, virtual hosts, virtual directory support,
> web-interface for all servers in the package)
> - FTP Server (with virtual directory support)
> - Proxy Servers
> * FTP proxy and HTTP caching proxy
> * FTP gate
> * HTTPS proxy
> * Socks5, Socks4 and 4a proxy
> * TCP and UDP port mapping
> * DNS proxy
> - Finger Server
> - Built-in scheduler and dialer (dial on demand,
> dialer server for extern agents, scheduler for any tasks)
>
> PROBLEM
>
> UssrLabs found a Eserv Web Server Directory Traversal Vulnerability
> Using the string '../' in a URL, an attacker can gain read access to
> any file outside of the intended web-published filesystem directory
>
> There is not much to expand on this one....
>
> Example:
>
> http://127.1:3128/../../../conf/Eserv.ini to show all configuration file
> including
> account names
>
>
> Vendor Status:
> no contacted
>
> Vendor Url: http://www.eserv.ru/
> Program Url: http://www.eserv.ru/eserv/
>
> Credit: USSRLABS
>
> SOLUTION
>
> Nothing yet.
