[ Advisory for Viking ] [ Viking is made by Robtex. ] [ Site: http://www.robtex.com/viking ] [ by nemesystm of the DHC ] [ (http://dhcorp.cjb.net - email@example.com) ] [ ADV-0107 ]
/-|=[explanation]=|-\ Viking is a webserver. It has a simple hex encoded dot dot bug.
/-|=[who is vulnerable]=|-\ Tested to be vulnerable: Viking 1.04 Viking 1.06 Viking 1.07 I assume earlier versions to be vulnerable as well.
/-|=[testing it]=|-\ To test this vulnerability, try the following. www.server.com/%2e%2e/%2e%2e/scandisk.log this works if Viking has been installed in the proposed directory and scandisk.log exists. Add %2e%2e/ to adjust the amount of directories to go down, change scandisk.log to reflect the file you want.
/-|=[notes]=|-\ In the SMTP server VRFY and EXPN are enabled by default and I was unable to turn these commands off. They could be used by spammers to verify accounts. This was verified for Viking 1.07
/-|=[plug]=|-\ A temporary fix was made available in 15 minutes after e-mailing. The quick and friendly response was just outstanding.
/-|=[fix]=|-\ It is best to download the latest version at www.robtex.com. A other possibility is to add the following line to httpd.cnf Wild http:%2e x-viking:/na I would suggest upgrading, but if that is impossible, the above fix will properly prevent this problem to be exploited on a server. Free, encrypted, secure Web-based email at www.hushmail.com