From SecurityTeam@DELPHISPLC.COM Fri Aug 25 20:46:34 2000 From: Security Team To: BUGTRAQ@SECURITYFOCUS.COM Date: Fri, 25 Aug 2000 10:43:59 +0100 Subject: [BUGTRAQ] DST2K0023: Directory Traversal Possible & Denial of Service in Wo rm HTTP Server [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] ============================================================================ Delphis Consulting Plc ============================================================================ Security Team Advisories [25/08/2000] securityteam@delphisplc.com [http://www.delphisplc.com/thinking/whitepapers/] ============================================================================ Adv : DST2K0023 Title : Directory Traversal Possible & Denial of Service in Worm HTTP Server Author : DCIST (securityteam@delphisplc.com) O/S : Microsoft Windows NT v4.0 Workstation (SP6) Product : Worm HTTP Server v1.0 Date : 25/08/2000 I. Description II. Solution III. Disclaimer ============================================================================ I. Description ============================================================================ Vendor URL: http://www.wormonline.com/software.htm Delphis Consulting Internet Security Team (DCIST) discovered the following vulnerabilities in Worm HTTP Server under Windows NT. Severity: medium It is possible to cause a denial of service by passing a very log filename in the url. This causes the Worm HTTP server to crash with a 'runtime error' causeing denial of service. Severity: high It is possible to traverse directories lower than the web root by knowing the exact path and filename of the file you wish to retrieve. This is done by executing the double-dot-bug similar to other web servers. II. Solution ============================================================================ Vendor Status: Informed The work around for the directory traversal exploit will only work under WindowsNT. Due to the fact that the Worm HTTP server runs as the useraccount which started it allows you to set appropriate NTFS permissions to limit the files the webserver is able to access. III. Disclaimer ============================================================================ THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE ACCURATE AT THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS. NEITHER THE AUTHOR NOR THE PUBLISHER ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE PLACED ON, THIS INFORMATION FOR ANY PURPOSE. ============================================================================ This e-mail and any files transmitted with it are intended solely for the addressee and are confidential. They may also be legally privileged.Copyright in them is reserved by Delphis Consulting PLC ["Delphis"] and they must not be disclosed to, or used by, anyone other than the addressee.If you have received this e-mail and any accompanying files in error, you may not copy, publish or use them in any way and you should delete them from your system and notify us immediately.E-mails are not secure. Delphis does not accept responsibility for changes to e-mails that occur after they have been sent. Any opinions expressed in this e-mail may be personal to the author and may not necessarily reflect the opinions of Delphis