Vapid Labs
			       Security Note

A quick note on Fastlink Software's TheServer http server.  I was not
going to write this up since it is a silly problem but this server is
listed in the netcraft survey so people are using it.  TheServer is a very
small and simple webserver for the Windows platform it consists of a
single executable and configuration file.


Problem: TheServer stores the password for log file accesss in cleartext.
This password is stored in the server.ini file.  Which by default resides
in the servers root directory.  This is a VERY simple webserver for
Windows 98/95 if the server is setup to log, then the password is also
sent to the logfile when accessing the server logs remotely.  The risk is
you can have someone else parsing your weblogs that you never intended.


Netcraft Survey:
http://www.netcraft.com/Survey/servers.html

Larry Cashdollar
Vapid Labs
http://vapid.ath.cx

Vendor Response:
http://www.fastlinksoftware.com/


Hello Larry;

    I'm the developer of TheServer.  I've posted information about the
security issue you wrote about on Security Tracker on my website at
http://www.fastlinksoftware.com under the FAQ section.  The information I
posted is as follows:

Q:  How do I prevent people from downloading my SERVER.INI file and
getting my system password?

A:  Make a folder below the root of your web pages and place SERVER.EXE
and SERVER.INI there.
Set the 'root' field in the SERVER.INI file to the folder where your web
pages start.
Add a 'restrict' line for the new folder you created.

Example:
Your web pages are in c:\web
Make a folder called 'bin' under c:\web.
Place SERVER.EXE and SERVER.INI in the 'bin' folder.
Edit the SERVER.INI file and change the 'root' field as follows:
root=c:\web
Add a line in the SERVER.INI file that would appear as follows:
restrict=bin

With the above example when TheServer starts it will look for the
starting web page in 'c:\web' and access will be restricted to the 'bin'
folder that contains the SERVER.INI file.


Thanks,

Allen Rodgers.