cht-2004.txt

`#####################################  
# CHT Security Research Center-2004 #  
# http://www.CyberSpy.Org #  
# Turkey #  
#####################################  
  
Software:  
Web Forums Server  
  
Web Site:  
http://www.minihttpserver.net  
  
Affected Version(s):  
1.6,2.0 Power Pack(current)  
  
Description:  
Web Forums Server is "all in one" Web Server for Microsoft Windows Operating  
Systems.  
Web Forums Server have a build in User manage system, Message Board system,  
ShareFile System  
,Share Photo System.include a powerful, flexible, compliant web server.  
Implements the latest protocols,including HTTP/1.1 (RFC2616)  
  
Multiple Vulnerabilities in Web Forums Server:  
  
Directory Traversal Vulnerability:  
  
There is directory traversal vulnerability in Web Forums Server that may allow a  
remote attacker  
to view files residing outside of the web server root directory.  
  
Examples:  
  
http://[victim]/..\..\..\file.ext  
http://[victim]/../../../file.ext  
or as encoded format:  
http://[victim]/%2E%2E%5C%2E%2E%5C%2E%2E%5Cfile.ext  
http://[victim]/%2E%2E%2F%2E%2E%2F%2E%2E%2Ffile.ext  
  
  
Plaintext Password Vulnerability:  
  
Web Forums Server stores all accounts with the passwords in plaintext using  
Username.ini file.  
So this could lead to users gaining unauthorized access to passwords,  
and potentially unauthorized access to the Web Forums Server.  
  
---  
Reported By R00tCr4ck at November,2 2004  
contact:  
root(at)CyberSpy.Org  
Original article can be found at http://www.CyberSpy.Org  
  
  
`