[20275] in bugtraq
Advisory for Viking
daemon@ATHENA.MIT.EDU (neme-dhc@HUSHMAIL.COM)
Tue Apr 17 16:02:49 2001
Content-type: multipart/mixed;
boundary="Hushpart_boundary_gMOcaLmjydjyRtULhJJLlKmfocpjqdMa"
Mime-version: 1.0
Message-ID: <200104171346.GAA25163@user7.hushmail.com>
Date: Tue, 17 Apr 2001 09:45:02 -0500
Reply-To: neme-dhc@HUSHMAIL.COM
From: neme-dhc@HUSHMAIL.COM
To: BUGTRAQ@SECURITYFOCUS.COM
--Hushpart_boundary_gMOcaLmjydjyRtULhJJLlKmfocpjqdMa
Content-type: text/plain
[ Advisory for Viking ]
[ Viking is made by Robtex. ]
[ Site: http://www.robtex.com/viking ]
[ by nemesystm of the DHC ]
[ (http://dhcorp.cjb.net - neme-dhc@hushmail.com) ]
[ ADV-0107 ]
/-|=[explanation]=|-\
Viking is a webserver. It has a simple hex encoded
dot dot bug.
/-|=[who is vulnerable]=|-\
Tested to be vulnerable:
Viking 1.04
Viking 1.06
Viking 1.07
I assume earlier versions to be vulnerable as well.
/-|=[testing it]=|-\
To test this vulnerability, try the following.
www.server.com/%2e%2e/%2e%2e/scandisk.log
this works if Viking has been installed in the
proposed directory and scandisk.log exists. Add
%2e%2e/ to adjust the amount of directories to go
down, change scandisk.log to reflect the file you
want.
/-|=[notes]=|-\
In the SMTP server VRFY and EXPN are enabled by
default and I was unable to turn these commands off.
They could be used by spammers to verify accounts.
This was verified for Viking 1.07
/-|=[plug]=|-\
A temporary fix was made available in 15 minutes
after e-mailing. The quick and friendly response
was just outstanding.
/-|=[fix]=|-\
It is best to download the latest version at
www.robtex.com. A other possibility is to add the
following line to httpd.cnf
Wild http:*%2e* x-viking:/na
I would suggest upgrading, but if that is
impossible, the above fix will properly prevent
this problem to be exploited on a server.
Free, encrypted, secure Web-based email at www.hushmail.com
--Hushpart_boundary_gMOcaLmjydjyRtULhJJLlKmfocpjqdMa--
