COMMAND

	MiniPortal remote compromise

SYSTEMS AFFECTED

	MiniPortal v1.1.5 on Win2k

PROBLEM

	Strumpf Noir Society [http://labs.secureance.com] says :
	

	The FTP server coming with MiniPortal contains multiple  vulnerabilities
	which  could  be  exploited  by  an  attacker  to  obtain  user  account
	information, read access to any file on the local  HD  and  which  could
	lead to arbitrary code execution.
	

	MiniPortal Plaintext Account and Session Data

	

	MiniPortal stores its account information in  plaintext  .pwd  files  in
	the miniportal/apache directory. Also, full login and  session  data  is
	stored  plaintext  in  the  file  miniportal/mplog.txt.  Through  either
	physical access to the system or by abusing  below  described  directory
	traversal problem, elevated privileges could be obtained on  the  system
	in question by retrieving these files.
	

	MiniPortal Directory Traversal Vulnerability

	

	The FTP server supplied  with  MiniPortal  does  not  properly  restrict
	access to files outside of the  user  directory.  By  using  a  \'triple
	dot\' notation (\'.../file.ext\') an attacker  can  break  out  of  this
	directory and obtain read access to any file on the  local  disk.  (This
	vulnerability only seems to work on WinNT/Win2k server systems)
	

	MiniPortal Login Buffer Overflow Vulnerability

	

	Due to improper bounds checking,  a  buffer  overflow  condition  is  in
	existence in one of the logging routines of said FTP  server.  This  can
	be exploited by supplying the server  with  overly  long  (>4093  bytes)
	input at login. Besides crashing the FTP server, this can  be  exploited
	to execute arbitrary code on the system.

SOLUTION

	Update to MiniPortal v1.1.6 :
	

	http://www.instantservers.com