Multiple vulnerabilities found in Forum Web Server v1.60 http://www.minihttpserver.net Discovered by Dennis Rand ------------------------------------------------------------------------ -----[SUMMARY WebForums Server allows you to setup a bulletin board and photo/file exchange web service. It offers a built in HTTP engine, internal database engine, integrated HTML/Script pages, user management interface, message board engine and a secure file Upload/Download option. It is without a doubt the easiest and complete all in one Forum Server software you have seen. It is possible to get access to the server files outside the restricted area of the server, and make sensitive files public. Second there is XSS vulnerability in the Forum area. Third it is possible to steal the username and passwords -----[DETAILS Vulnerable systems: Windows NT 4.0 and Windows 2000 server fully patched * Forum Web Server v.1.60 Immune systems: * Forum Web Server v.1.61 A command requests allows remote users to break out of restricted directories and gain read access to the system directory structure; Possibility for getting files from outside restricted areas. The server is also vulnerable to XSS and last but not least I've discovered a information leak to get the user database for the Forum Web Server. The following transcript demonstrates a sample exploitation of the vulnerabilities: ------------------------------------------------------------------- Traversal: With in the File Sharing area, press the "Upload new file" button: Now in the upload field just insert : \\\c$\winnt\repair\sam._ This will now be uploaded to and area where you can get the sam._ and then use ex. L0pht Crack for breaking the password. XSS: When posting or replying to a message in the "Message Forum" it is possible to use XSS vulnerability both in the Subject and Message ex. insert this into either subject or Message Information leak: It is possible by using the Traversal exploit to get the user names and passwords from the Forum Web Server simply by "uploading" \\\c$\program Files\web forums server\user.ini The Usernames and passwords are in clear text ready to use. -------------------------------------------------------------------- -----[DETECTION Forum Web Server is vulnerable to the above-described attacks. Earlier versions may be susceptible as well. To determine if a specific implementation is vulnerable, experiment by following the above transcript. -----[VENDOR RESPONSE Received first reply from David Yuan (Master@minihttpserver.com) We thank you for the information and will fix this issue as soon as possible. -----[DISCLOSURE TIMELINE -------------------- 21/02/2003 Found the Vulnerability. 21/02/2003 Reported to Vendor (support@minihttpserver.net and master@minihttpserver.net) 21/02/2003 Vendor reply, they now know of the vulnerabilities 04/03/2003 Fix made public 06/03/2003 Public Disclosure. -----[ADDITIONAL INFORMATION The vulnerability was discovered by Dennis Rand -----[DISCLAIMER The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.