mailing list archives
Multiple Vulnerabilities In AMLServer
From: SNS Research <vuln-dev () greyhack com>
Date: Mon, 18 Jun 2001 15:31:29 +0200
Strumpf Noir Society Advisories
! Public release !
-= Multiple Vulnerabilities In AMLServer =-
Release date: Monday, June 18, 2001
Air Messenger LAN Server is a paging gateway server for MS Windows
that allows you to send and recieve messages to a paging network
over a TCP/IP LAN to phones, pagers and e-mail.
AMLServer is available from vendor Internet Software Solutions's
AMLServer Directory Traversal Problem
AMLServer's "Webpaging" http interface is susceptible to a directory
traversal attack. Adding the string "../" to a URL allows an
attacker access to files outside of the webserver's publishing
directory. This allows read access to any file on the server.
AMLServer Plaintext Password Storage
A second problem is found in the file pUser.Dat. All
username/password combinations applicable to the various services
provided by AMLServer are stored in this file in plaintext.
AMLServer Path Disclosure
The mentioned userfile is stored in the server's main directory.
The exact location can be obtained exploiting another problem in
the web interface, a path disclosure bug. The http-header field
'Location' contains the full path to servermaindir/Messages.
$ telnet target 80|grep Location
Connection closed by foreign host.
Vendor has been notified and has expressed the intention to fix
these problems in version 4. Unfortunately, at the time of this
advisory the vendor wasn't able to supply us with an approximate
date for this "fixed" release so we have not been able to verify
This was tested against AMLServer 3.4.2 on Win2k.
Free sk8! (http://www.freesk8.org)
SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html)
compliant, all information is provided on AS IS basis.
EOF, but Strumpf Noir Society will return!
- Multiple Vulnerabilities In AMLServer SNS Research (Jun 18)