KF Web Server version 1.0.2 shows file and directory content .oO Overview Oo. KF Web Server version 1.0.2 shows file and directory content Discovered on 2002, July, 2nd Vendor: KeyFocus (http://www.keyfocus.net/kfws/) KF Web Server 1.0.2 is a free personal web server available for Windows 98,ME,2000,XP. This web server can shows file and directory content. .oO Details Oo. If the requested URL contains a %00 after a directory name, then the server shows all files in the directory content. A hacker can see all hidden (non-HTML linked) files and directories on the server. .oO Exploit Oo. The exploit is really easy. You can do it with any browser Examples : http://server_name/index.html : Normal use. http://server_name/%00 : You get the vulnerability. http://server_name/index.html%00 : Is *not* vulnerable. http://server_name/%00index.html : You get the vulnerability. In fact everything after %00 is ignored. http://server_name/subdir/%00 : You get the vulnerability. .oO Solution Oo. The vendor has been informed and has solved the problem. Upgrade to KF Web Server version 1.0.3 (http://www.keyfocus.net/kfws/download/) .oO Discovered by Oo. Arnaud Jacques aka scrap webmaster@securiteinfo.com http://www.securiteinfo.com