[21075] in bugtraq
Multiple Vulnerabilities In AMLServer
daemon@ATHENA.MIT.EDU (SNS Research)
Mon Jun 18 19:14:06 2001
Date: Mon, 18 Jun 2001 15:31:29 +0200
From: SNS Research <vuln-dev@greyhack.com>
Reply-To: SNS Research <vuln-dev@greyhack.com>
Message-ID: <14725565100.20010618153129@greyhack.com>
To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Strumpf Noir Society Advisories
! Public release !
<--#
-= Multiple Vulnerabilities In AMLServer =-
Release date: Monday, June 18, 2001
Introduction:
Air Messenger LAN Server is a paging gateway server for MS Windows
that allows you to send and recieve messages to a paging network
over a TCP/IP LAN to phones, pagers and e-mail.
AMLServer is available from vendor Internet Software Solutions's
website: http://www.internetsoftwaresolutions.org
Problem(s):
AMLServer Directory Traversal Problem
AMLServer's "Webpaging" http interface is susceptible to a directory
traversal attack. Adding the string "../" to a URL allows an
attacker access to files outside of the webserver's publishing
directory. This allows read access to any file on the server.
AMLServer Plaintext Password Storage
A second problem is found in the file pUser.Dat. All
username/password combinations applicable to the various services
provided by AMLServer are stored in this file in plaintext.
AMLServer Path Disclosure
The mentioned userfile is stored in the server's main directory.
The exact location can be obtained exploiting another problem in
the web interface, a path disclosure bug. The http-header field
'Location' contains the full path to servermaindir/Messages.
For example:
$ telnet target 80|grep Location
Location: http://C:\PROGRA~1\ISS\AIRMES~1\Messages
Connection closed by foreign host.
(..)
Solution:
Vendor has been notified and has expressed the intention to fix
these problems in version 4. Unfortunately, at the time of this
advisory the vendor wasn't able to supply us with an approximate
date for this "fixed" release so we have not been able to verify
this.
This was tested against AMLServer 3.4.2 on Win2k.
yadayadayada
Free sk8! (http://www.freesk8.org)
SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html)
compliant, all information is provided on AS IS basis.
EOF, but Strumpf Noir Society will return!
