Vulnerability

    AMLServer

Affected

    AMLServer

Description

    Following is  based on  a Strumpf  Noir Society  Advisories.   Air
    Messenger LAN  Server is  a paging  gateway server  for MS Windows
    that allows you to send  and recieve messages to a  paging network
    over a TCP/IP LAN to phones, pagers and e-mail.

    AMLServer Directory Traversal Problem
    =====================================
    AMLServer's  "Webpaging"  http  interface  is  susceptible  to   a
    directory traversal  attack.   Adding the  string "../"  to a  URL
    allows  an  attacker  access  to  files outside of the webserver's
    publishing directory.  This allows read access to any file on  the
    server.

    AMLServer Plaintext Password Storage
    ====================================
    A  second   problem  is   found  in   the  file   pUser.Dat.   All
    username/password combinations applicable to the various  services
    provided by AMLServer are stored in this file in plaintext.

    AMLServer Path Disclosure
    =========================
    The mentioned userfile is  stored in the server's  main directory.
    The exact location can  be obtained exploiting another  problem in
    the web interface, a path  disclosure bug.  The http-header  field
    'Location' contains the full path to servermaindir/Messages.

    For example:

        $ telnet target 80|grep Location

        Location: http://C:\PROGRA~1\ISS\AIRMES~1\Messages
        Connection closed by foreign host.

    This was tested against AMLServer 3.4.2 on Win2k.

Solution

    Vendor has been  notified and has  expressed the intention  to fix
    these problems in version 4.   Unfortunately, at the time of  this
    advisory the vendor wasn't able  to supply us with an  approximate
    date for this "fixed" release so  we have not been able to  verify
    this.