MyWebServer ServerProperties.html Arbitrary File Access

2004-09-26T09:42:01
ID OSVDB:10442
Type osvdb
Reporter nekd0(nekd0@rambler.ru)
Modified 2004-09-26T09:42:01

Description

Vulnerability Description

MyWebServer contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when accessing "ServerProperties.html" admin page and creating an FTP account with an arbitrary path occurs, which will disclose arbitrary files on the target server information resulting in a loss of confidentiality.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

MyWebServer contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when accessing "ServerProperties.html" admin page and creating an FTP account with an arbitrary path occurs, which will disclose arbitrary files on the target server information resulting in a loss of confidentiality.

Manual Testing Notes

The administrative panel allows unauthenticated access. See "http://[target]/admin/ServerProperties.html"

References:

Vendor URL: http://www.mywebserver.org Security Tracker: 1011461 Related OSVDB ID: 10441 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-09/0410.html ISS X-Force ID: 17520 CVE-2004-1557 Bugtraq ID: 11254