Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

wwwfilesharepro.txt

🗓️ 15 Jan 2004 00:00:00Reported by Luigi AuriemmaType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 23 Views

Critical vulnerabilities in WWW File Share Pro allow remote file overwrite and crashes.

Code
`  
#######################################################################  
  
Luigi Auriemma  
  
Application: WWW File Share Pro  
http://www.wfshome.com  
Versions: <= 2.42  
Platforms: Windows  
Bugs: - arbitrary server's files overwriting  
- remote crash  
- directory authorization bypass  
Risk: critical  
Exploitation: remote  
Date: 14 Jan 2004  
Author: Luigi Auriemma  
e-mail: [email protected]  
web: http://aluigi.altervista.org  
  
  
#######################################################################  
  
  
1) Introduction  
2) Bugs  
3) The Code  
4) Fix  
  
  
#######################################################################  
  
===============  
1) Introduction  
===============  
  
  
>From the vendor's website:  
  
"WWW File Share Pro is a small HTTP server that can help you share  
files with your friends. They can download files from your computer or  
upload files from theirs. Simply specify a directory for downloads and  
a directory for uploads. ...  
WWW File Share Pro supports password protection. If you enable password  
protection, only authorized user can access your service."  
  
  
#######################################################################  
  
=======  
2) Bugs  
=======  
  
  
A] Arbitrary server's files overwriting  
---------------------------------------  
  
The program has an option enabled by default that lets people to upload  
their files in a dedicated directory specified by the server's  
administrator.  
Exists a flaw letting any user to create or overwrite any file in the  
remote server simply using a dot-dot pattern in the name of the file  
passed to the server.  
The following is the right parameter sent to the server:  
Content-Disposition: form-data; name="file"; filename="file.txt"  
  
And this is the modified parameter to exploit the vulnerability:  
Content-Disposition: form-data; name="file"; filename="../../../file.txt"  
  
  
B] Remote crash  
---------------  
  
An attacker can crash the remote server sending a lot of bytes using  
the POST command.  
The effects are the CPU at 100% if data is not too much (minor than 2  
megabytes) and the server's crash or also the complete system freeze if  
data is more.  
  
  
C] Directory authorization bypass  
---------------------------------  
  
If the server has some protected directories the attacker can bypass  
the authorization process and gaining full access to them.  
This bug affects only each protected directory and NOT the "whole site"  
protection (option in User/Password setting).  
To exploit the bug must be used a dot at the end of the URL or one or  
more slash or backslash at the beginning of the URI.  
  
  
#######################################################################  
  
===========  
3) The Code  
===========  
  
  
A] Arbitrary server's files overwriting  
---------------------------------------  
  
The following is an example data to send with telnet or netcat to the  
server that will create a file called badfile.txt three directories up  
the upload folder (so usually the file will be c:\badfile.txt):  
  
http://aluigi.altervista.org/poc/wfshare-up.txt  
  
  
B] Remote crash  
---------------  
  
The following are some examples using 2 of my generic toolz:  
  
http://aluigi.altervista.org/poc/webpostmem.zip  
http://aluigi.altervista.org/mytoolz/poststrike.zip  
  
To test the CPU at 100% use "webpostmem 2000 1 server"  
To test the crashing of the server use webpostmem with a higher first  
value or use "poststrike server"  
To try to freeze the system you can launch "webpostmem 1000 10 server"  
and trying other methods  
  
  
C] Directory authorization bypass  
---------------------------------  
  
http://server/directory./  
http://server/\directory/  
http://server///directory/  
"GET \directory/ HTTP/1.0"  
  
  
#######################################################################  
  
======  
4) Fix  
======  
  
  
Version 2.48 or the upgrade patch if the version 2.46 is already  
installed in the system.  
Note: the version 2.46 patches all the bugs except a type of directory  
authorization bypass fixed in the 2.48 version.  
  
  
#######################################################################  
  
  
---   
Luigi Auriemma  
http://aluigi.altervista.org  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
15 Jan 2004 00:00Current
7.4High risk
Vulners AI Score7.4
www file share profile overwrite vulnerabilityremote crashdirectory authorization bypasscritical risk
23