From dendler@idefense.com Wed Sep 25 20:19:52 2002 From: David Endler To: bugtraq@securityfocus.com Date: Mon, 23 Sep 2002 16:41:19 -0400 Subject: iDEFENSE Security Advisory 09.23.2002: Directory Traversal in Dino's Webserver -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 iDEFENSE Security Advisory 09.23.2002 Directory Traversal in Dino's WebServer DESCRIPTION A vulnerability exists in the latest version of Dino^Òs Webserver that can allow an attacker to view and retrieve any file on the system. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-1133 to this issue. ANALYSIS An exploit is possible from an attacker constructing a URL that would cause Dino's Webserver to navigate to any desired folder in the same logical drive and access the files in it. This can be achieved by using the URL encoded character representations of "/" and "\". This allows a user to traverse the server to any directory on the same logical drive as the web application. e.g. http://$host/%2f..%2f..%2f..$directory$file This issue is similar to CVE-2002-0111 which involved a traditional .. directory traversal flaw that was fixed. DETECTION This vulnerability affects Dino^Òs Webserver version 1.2 VENDOR RESPONSE The author Anders Jensen, outdoors@tiscali.no, stated: "My webserver will be removed from the download`s that I control, I neither hav the time or resources to do anything else at the moment." The public download site, http://home.no.net/~nextgen/ has been replaced with a message reading "Dino`s FunSoft is no longer available. the software will maybe somtime in the future be available on another label, but when and if for shure I really can`t tell, sorry. Dino_" Dino's Webserver remains available however via many other download sites such as download.com, etc. DISCLOSURE TIMELINE 8/10/2002 - Disclosed to iDEFENSE 9/6/2002 - Disclosed to Vendor, Anders Jensen 9/6/2002 - Disclosed to iDEFENSE Clients 9/14/2002 - Vendor Response 9/23/2002 - Public Disclosure CREDIT This issue was exclusively disclosed to iDEFENSE by Tamer Sahin (ts@securityoffice.net). Get paid for security research: http://www.idefense.com/contributor.html David Endler, CISSP Director, Technical Intelligence iDEFENSE, Inc. 14151 Newbrook Drive Suite 100 Chantilly, VA 20151 voice: 703-344-2632 fax: 703-961-1071 dendler@idefense.com www.idefense.com -----BEGIN PGP SIGNATURE----- Version: PGP 7.1.2 Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A iQA/AwUBPY98GUrdNYRLCswqEQI72ACg9Wk4Sz3/UMw48BBuexmMeYDbO7kAoMKX KWsbJK1rUChBvXQcW/0wbB4F =ymjN -----END PGP SIGNATURE-----