Multiple Vulnerabilities in NetServe Web Server for Windows

Reported November 20, 2003, by nimber.

VERSIONS AFFECTED

• Net-X Solutions Ltd’s NetServe 1.0.7

DESCRIPTION

Two newly discovered vulnerabilities in Net-X Solutions Ltd’s NetServe 1.0.7 can result in the remote compromise of the vulnerable system. The first vulnerability is a directory-traversal vulnerability, and the second vulnerability is a configuration- and password-disclosure vulnerability.
 

DEMONSTRATION

The discoverer has posted the following scenarios as proof of concept:

Directory Traversal:

The NetServe server doesn’t properly filter " /../../ ", thereby permitting an attacker to view files that reside below the bounding HTML root directory.

Example:

You can view either directories http://\[victim\]/../test/, or files http://\[victim\]/../test/test.txt.

Configuration Disclosure:

By default, NetServe's configuration files contain a directory below the wwwroot's. Using the above vulnerabilities, a remote attacker can download the remote server's configuration by requesting a special URL.



Example:

By requesting http://\[victim\]/../config.dat, an attacker can view the server's configuration file.

VENDOR RESPONSE

Net-X Solutions Ltd has been notified.

CREDIT

Discovered by nimber.