[14377] in bugtraq
vqserver /........../
daemon@ATHENA.MIT.EDU (Johan Nilsson)
Wed Mar 22 02:17:33 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-Id: <4.1.20000321084646.0095c7f0@olga.swip.net>
Date: Tue, 21 Mar 2000 09:10:43 +0100
Reply-To: Johan Nilsson <nilssonssite@SWIPNET.SE>
From: Johan Nilsson <nilssonssite@SWIPNET.SE>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Version tested: vqserver 1.9.9 for windows
The webserver vqserver follows /........../ in requests.
http://host/........../autoexec.bat gives the autoexec.bat file.
More serious,
http://host/........../some/path/vq/server/cfg/server.cfg
where /some/path/ could be anything, but normally /program/vqserver/,
gives the server settings and all passwords unencrypted.
By default remote administration is on port 9090, with the login and
password in server.cfg anyone could configure the server.
I have downloaded the latest windows version from www.vqsoft.com and
did not find this problem in the latest version, 1.9.31. Strange version
number,
lower then the version I found this problem in... Could someone give an
explanation?
Johan Nilsson
<nilssonssite@swipnet.se>
