24Link 1.06 Web Server

x

PROBLEM:



A vulnerability was found in 24Link 1.06 Web Server for Windows

95/98/2000/NT machines. The vulnerability allows you to view any password

protected files on the Web Server,  provided that the Authorization -

Check User Name and Password- On all Requests option wasn't chosen, which

asks for user name/password for every request sent to the server. If

specific files are password protected, for example by default the

access.txt log file is, I can bypass the password prompt by putting one of

these before the filename in the request to the server,



/+/

/./

/+./

/++/

/++./

or any of these and the ending slash being two or more /'s up to around

200.. for example http://24link.net/++//////protected.html



for example 24Link has a default file password protected, the log file so

on a 24Link Server  I would send a request "GET /+/access.txt

HTTP/1.0\r\n" or type in my favorite browser

http://24linkserver.com/+/access.txt it will return the access.txt. And works on any other

specifically password protected file or directory, also by default 24Link

1.06 allows directory listing which can lead to many a security

compromise.





FIXES:

I contacted the vendor over a week ago and still nothing back, I would

suggest if you need, absolutely need to use this web server do not store

private or sensitive information in the Sever Root directory tree. If you

have to have sensitive information make sure you uncheck allow directory

listings under the options menu and choose the Authorization - Check User

Name and Password- On all Requests option or in 2000/NT setting up rights

so those files are not world-readable (NOTE: I do not have an NT box to

install this server on and test it, this is just a suggestion, should be

tested first to make sure it works correctly).



DISCOVERY:

Legions of the Underground

Phriction

Phric@legions.org