Home page logo
/

bugtraq logo Bugtraq mailing list archives

interSEC security advisory - Multiple bugs in Web602 web server
From: Jan Kachlik <jkachlik () isgroup com>
Date: Fri, 18 Oct 2002 08:29:30 +0200

===[ interSEC - Advisory ]=================================[ Adv. ID: 2002-10-001 ]==

Advisory Information
--------------------
Name                   : Multiple bugs in Web602 web server
Vendor Homepage        : http://www.software602.cz
Platforms              : Windows
Vulnerability Type     : Multiple bugs
Vendor Contacted       : 30/08/2002
Vendor Replied         : 06/09/2002
Non affected version   : 2002.0.02.0916

Vulnerable Versions: v1.xx

Product Description
------------------- 
Web602 is a fully functional http server for windows 95/98/NT. 
It is easily configurable and is quite easy to use. 


Bug #1: Free access to /admin/ section without login
affected:Czech version all.
-------------------
All users have access to /admin/ directory without password. 
This is only for Czech version.


Bug #2: DoS with comX, Aux, LPT
affected: 1.04 all Language
-------------------
When attacker send GET, POST request with /com1 /aux /lpt1 server crash.

example: GET /com1


Bug #3: Directory Tree
affected: All version
-------------------
When attacker add behind URL char "~" or string ".bak" server return directory tree.

example: GET /index.html~ or GET /index.html.bak


Solution
--------
Install latest version. Latest version without bugs is 2002.0.02.0916

Credits
-------
 +---------------------------------+
 ' Kachlik Jan                     '
 ' Security & Network Specialist   '
 ' InterSource Solutions Group     '
 ' Mathonova 25, 613 00 Brno CZ    '
 ' Mail: jkachlik () isgroup com      '
 +---------------------------------+ 

Attachment: interSEC-2002-10-001.sa
Description:


  By Date           By Thread  

Current thread:
  • interSEC security advisory - Multiple bugs in Web602 web server Jan Kachlik (Oct 18)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault