 | ||||||
| << Previous | INDEX | Search | src | Set bookmark | Go to bookmark | Next >> |
| ||||||
| |||||||||||||||||||||
Date: Tue, 09 Apr 2002 16:20:33 -0400 From: Jeremy Roberts <macaddy@msn.com> To: bugtraq@securityfocus.com Subject: Abyss Webserver 1.0 Administration password file retrieval exploit Abyss Web Server was just released April 3rd . The Web Server is vulnerable to retrieving the password file on the host's computer. An attacker can send a request to get the password file just by breaking WWWROOT using Unicode. heres a report i wrote NETCRA$H SECURITY REPORT Abyss Web Server 1.0 Download password file to gain admin access Author: Sitedude ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: April 7, 2002 Class: Bad Programming Vulnerable to Unicode fault Remote/Local: Local & Remote Vulnerable: Abyss Webserver 1.0 . Unaffected: N/A Vulnerable Systems: Windows 95 Windows 98 (All Builds) Windows NT (All Builds) Windows 2000 (All Builds) Windows XP (All Builds) Abstract: Abyss Web Server was just released April 3rd . The Web Server is vulnerable to retrieving the password file on the host's computer. An attacker can send a request to get the password file just by breaking WWWROOT using Unicode. Exploit: http://127.0.0.1/cgi-bin/%2e%2e/abyss.conf Workaround: Download the patch below Vendor Status: The vendor has been contacted and provided a fix. Product Fix: We emailed the company and they have provided a fix Abyss Webserver Unicode fix ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ We at NetCrash Studios e-mailed the company and they did manage to fix the problem and provide us with the patch were hosting the patch on our site http://www26.brinkster.com/netcrash/abyssws.zip This is the reply from Aprelium Technologies ----------------------------------------------------------------------- First of all, thank you for your interest in Abyss Web Server and thank youfor the bug report you sent. The bug was confirmed and it has been fixed. You'll find a patched abyssws executable attached to this mail. Please uncompress it and replace the original one with it. If you have other questions or remarks, please do not heistate to contact us. Best regrads, Moez Mahfoudh CTO & Co-founder Aprelium Technologies http://www.aprelium.com ------------------------------------------------------------------------ Thanks for taking your time to read this. Jeremy NetCrash Studios http://www26.brinkster.com/netcrash _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
| |||||||||||||||||||||