mailing list archives
Falcon Web Server Authentication Circumvention Vulnerability
From: Strumpf Noir Society <vuln-dev () labs secureance com>
Date: Wed, 13 Feb 2002 21:18:15 +0100
Strumpf Noir Society Advisories
! Public release !
-= Falcon Web Server Authentication Circumvention Vulnerability =-
Release date: Wednesday, February 13, 2002
Falcon Web Server is a ISAPI and WinCGI supporting web server running
on the Microsoft Windows OS's.
Falcon Web Server is available from vendor BlueFace's web site:
Falcon Web Server supports virtual directory mapping and allows the
server administrator to use a user-authentication scheme to protect
the content of these directories. Due to a problem in the parsing
of requests made to said directories however, it is possible to
circumvent this authentication scheme and access any file in a
protected directory without supplying the proper credentials.
This can be done through adding an additional backslash at the beginning
of the virtual path. For example, the server comes with one such path
to a directory 'test' pre-configured, which requires authentication to
be accessed. A direct request to this directory ('http://server/test/')
without supplying the proper credentials will return a 401 Unauthorized
error. Requesting the same directory as 'http://server//test/' however,
will allow the user access without authenticating.
Vendor has been notified and has adressed this issue by releasing build
18.104.22.1681 for the Falcon Web Server Standard and SSL editions. This has
been tested against Falcon Web Server builds 22.214.171.1249 and 126.96.36.1990
SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html)
compliant, all information is provided on AS IS basis.
EOF, but Strumpf Noir Society will return!
- Falcon Web Server Authentication Circumvention Vulnerability Strumpf Noir Society (Feb 14)