Visual Synapse Directory Traversal

Type packetstorm
Reporter Felipe Daragon
Modified 2010-10-08T00:00:00


                                            ` Syhunt Advisory: Visual Synapse HTTP Server Directory Traversal  
Advisory-ID: 201010071  
Discovery Date: 09.07.2010  
Release Date: 10.07.2010  
Affected Applications: Visual Synapse HTTP Server 1.0 RC3, 1.0  
RC2, 1.0 RC1, 0.60 and previous releases; And any applications  
using the Visual Synapse HTTP Server component  
Class: Directory Traversal  
Status: Unpatched/Vendor informed  
Vendor: Rene Tegel  
Vendor URL:  
Advisory URL:  
The Common Vulnerabilities and Exposures (CVE) project has  
assigned the following CVE to this vulnerability: CVE-2010-3743  
Visual Synapse HTTP Server is an open source HTTP server and  
also server component for Delphi, Freepascal and C++ Builder  
developed by Rene Tegel. The server supports PHP, Perl and CGI  
and is distributed both as source and as precompiled binary.  
A vulnerability in the Visual Synapse HTTP server allows remote  
attackers to traverse directories on the system. This is  
possible by sending a specially-crafted URL request containing  
"dot dot" sequences (/..\).  
Example 1:  
GET /..\..\..\..\windows/system.ini HTTP/1.0  
Example 2:  
GET /..\..\..\boot.ini HTTP/1.0  
Note: the server was installed in the "C:\Server\VSHTTPD\"  
Sandcat can also be used to identify this issue:  
Vulnerability Status:  
The vendor was notified, but no reply has been received.  
The source code of the server warns about possible security  
issues and that it is not suitable for production environments  
yet. This warning must be taken seriously.  
Any application using this source is vulnerable unless the code  
is patched. Any machine running the compiled HTTPD Server demo  
is vulnerable as well, unless the application is replaced with  
an up-to-date and patched version.  
Felipe Aragon  
Syhunt Security Research Team,  
Copyright © 2010 Syhunt Security  
The information in this advisory is provided "as is" without  
warranty of any kind. Details provided are strictly for  
educational and defensive purposes.  
Syhunt is not liable for any damages caused by direct or  
indirect use of the information provided by this advisory.