Lucene search

K
certCERTVU:124059
HistoryFeb 05, 2009 - 12:00 a.m.

GoAhead WebServer information disclosure and authentication bypass vulnerabilities

2009-02-0500:00:00
www.kb.cert.org
57

5 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.055 Low

EPSS

Percentile

93.3%

Overview

GoAhead WebServer contains vulnerabilities that may allow an attacker to view source files containing sensitive information or bypass authentication. The information disclosure vulnerability was previously published as VU#975041.

Description

GoAhead WebServer contains vulnerabilities handling file requests. By sending the web server a specially crafted URL, an attacker may be able to view the source files containing sensitive information or bypass authentication. GoAhead WebServer has a history of source file disclosure vulnerabilities.


Impact

An attacker may be able to view any file on the web server, including files that contain sensitive information like usernames and passwords. An attacker may also be able to bypass authentication for protected files.


Solution

Release notes for GoAhead WebServer 2.1.8 indicate that these vulnerabilities have been addressed. GoAhead WebServer is not being actively maintained. Vendors who redistribute GoAhead WebServer or include it in other products may release updates to address these vulnerabilities. Vendors who have modified GoAhead WebServer may or may not be affected. See the Systems Affected section below for more information.

GoAhead WebServer 2.1.8 on the Microsoft Windows platform remains vulnerable to source file disclosure.


Restrict access

To reduce exposure to these vulnerabilities, restrict network access to vulnerable systems.


Vendor Information

124059

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

GoAhead Software, Inc. __ Affected

Updated: June 22, 2010

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

Addendum

See <http://data.goahead.com/Software/Webserver/2.1.8/release.htm#security-features-can-be-bypassed-by-adding-an-extra-slash-in-the-url-bug01518&gt; for more information…

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23124059 Feedback>).

Rockwell Automation __ Affected

Updated: December 29, 2009

Status

Affected

Vendor Statement

Please refer to our KnowledgeBase article for more information on this issue. It can be found here:

<http://rockwellautomation.custhelp.com/cgi-bin/rockwellautomation.cfg/php/enduser/std_adp.php?p_faqid=57729&gt;

This article will be updated as information becomes available.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to Daniel Peck of Digital Bond, Inc. for reporting this issue.

This document was written by Ryan Giobbi.

Other Information

CVE IDs: CVE-2002-1603
Severity Metric: 0.06 Date Public:

5 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.055 Low

EPSS

Percentile

93.3%