Vulnerability

    Eserv

Affected

    Eserv 2.50 Web interface Server

Description

    Ussr Labs found  following.  Eserv/2.50  is the complete  solution
    to access Internet from LAN:

        - Mail  Server  (SMTP  and  POP3,  with  ability to share  one
          mailbox on the ISP, aliases and mail routing support)
        - News Server (NNTP)
        - Web  Server  (with  CGI,  virtual  hosts, virtual  directory
          support, web-interface for all servers in the package)
        - FTP Server (with virtual directory support)
        - Proxy Servers
          * FTP proxy and HTTP caching proxy
          * FTP gate
          * HTTPS proxy
          * Socks5, Socks4 and 4a proxy
          * TCP and UDP port mapping
          * DNS proxy
        - Finger Server
        - Built-in scheduler and dialer (dial on demand, dialer server
          for extern agents, scheduler for any tasks)

    UssrLabs   found   a   Eserv   Web   Server   Directory  Traversal
    Vulnerability Using  the string  '../' in  a URL,  an attacker can
    gain read access to any file outside of the intended web-published
    filesystem directory.  There is not much to expand on this one....
    Example:

        http://127.1:3128/../../../conf/Eserv.ini

    to show all configuration file including account names.

Solution

    Windows allow to open the file with name

        wwwroot\--\..\..\conf\Eserv.ini

    when folder "--" not exists.   Seems this is Windows bug, will  be
    fixed (already fixed in the Eserv build 2841).