minihttp.txt

2003-09-16T00:00:00
ID PACKETSTORM:31647
Type packetstorm
Reporter Peter Winter-Smith
Modified 2003-09-16T00:00:00

Description

                                        
                                            `Minihttpserver 1.x Host Engine Flaws  
  
Url: http://www.minihttpserver.net  
  
+ File-Sharing for NET:  
  
"File Sharing for net is a complete, secure web server that shares your  
business documents and files over the web: remote users only need  
browsers to view your files. Share, transfer files securely with  
colleagues. "  
  
+ Forums Web Server  
  
"WebForums Server allows you to setup a bulletin board and photo/file  
exchange web service. It offers a built in HTTP engine, internal  
database engine, integrated HTML/Script pages, user management  
interface, message board engine and a secure file Upload/Download  
option. It is without a doubt the easiest and complet all in one Forum  
Server software you have seen."  
  
- Both Vendors Descriptions  
  
Both products, in my opinion, deliver exactly what they offer, and are  
definitely a reasonable buy for the price, remembering the fact that  
you do not only get the scripts, but a well rounded webserver to boot.  
  
However there is one aspect in which they are seriously lacking -  
Security.  
  
In light of Mr Dennis Rand's recent discovery of several dangerous  
flaws within the server:  
  
http://www.infowarfare.dk/Advisories/iw-09-advisory.txt  
  
All of which (it is claimed) are fixed, you would have thought that  
security would have become quite a priority for the development team,  
but it appears this was not the case.  
  
It took me about two minutes to find two more dangerous flaws which  
can allow a remote user complete administrator access to the system  
file/forum system and any file on the remote server.  
These are not difficult, hard to find flaws, and I think even a few  
minutes auditing would have turned both of these up immediately.  
  
Flaw 1 - Directory Traversal:  
=============================  
  
http://server/../user.ini  
  
This will allow the remote unauthenticated user to break free of the  
webroot, and download any file on the system  
  
The example file downloads the username and password file for both  
applications, effectively allowing an intruder to access the vulnerable  
system from the web based login page without any type of malformed  
request.  
  
Flaw 2 - Login Parsing Flaw  
===========================  
  
When Web Forum Server is first installed, it is often possible to  
gain administrator access to the forum by using the following login  
information:  
  
Username: Admin  
Password: "  
  
I have managed to also login this way by typing ' admin" ' in the  
password recovery box.  
  
  
======================================================================  
  
  
Operating system and servicepack level:  
Windows 9x/Me/NT Based  
  
  
Software:  
+ Minihttpserver 1.x  
+ Web Forum Server 1.x  
+ File-Sharing NET 1.x  
  
  
Under what circumstances the vulnerability was discovered:  
By mistake pretty much - Testing some older vulns.  
  
  
If the vendor has been notified:  
Yes, the vendor had been notified.  
  
  
How to contact you for further information:  
I can always be reached at peter4020@hotmail.com  
  
  
Please credit this find to:  
Peter Winter-Smith  
  
  
Thank you for your time,  
-Peter  
  
_________________________________________________________________  
Express yourself with cool emoticons - download MSN Messenger today!   
http://www.msn.co.uk/messenger  
  
`