Re: Eserv 2.50 Web interface Server Directory Traversal Vulnerability

[andrey () CHEREZOV KOENIG SU (Andrey Cherezov)]

Hello!
It was surprise for me - Windows allow to open the file
with name "wwwroot\--\..\..\conf\Eserv.ini"
when folder "--" not exists. Seems this is Windows bug, not my,
but I forced to fix Eserv. (Already fixed in the Eserv build 2841)
Thank you again!

----- Original Message -----
From: Ussr Labs <labs () USSRBACK COM>
To: <BUGTRAQ () SECURITYFOCUS COM>
Sent: Friday, November 05, 1999 2:17 AM
Subject: Eserv 2.50 Web interface Server Directory Traversal Vulnerability

> Eserv 2.50 Web interface Server Directory Traversal Vulnerability
>
> Product:
>
> Eserv/2.50 is the complete solution to access Internet from LAN:
>
> - Mail Server (SMTP and POP3, with ability to share one mailbox
>   on the ISP, aliases and mail routing support)
> - News Server (NNTP)
> - Web Server (with CGI, virtual hosts, virtual directory support,
>   web-interface for all servers in the package)
> - FTP Server (with virtual directory support)
> - Proxy Servers
>   * FTP proxy and HTTP caching proxy
>   * FTP gate
>   * HTTPS proxy
>   * Socks5, Socks4 and 4a proxy
>   * TCP and UDP port mapping
>   * DNS proxy
> - Finger Server
> - Built-in scheduler and dialer (dial on demand,
>   dialer server for extern agents, scheduler for any tasks)
>
> PROBLEM
>
> UssrLabs found a Eserv Web Server Directory Traversal Vulnerability
> Using the string '../' in a URL, an attacker can gain read access to
> any file outside of the intended web-published filesystem directory
>
> There is not much to expand on this one....
>
> Example:
>
> http://127.1:3128/../../../conf/Eserv.ini   to show all configuration file
> including
> account names
>
>
> Vendor Status:
> no contacted
>
> Vendor   Url: http://www.eserv.ru/
> Program Url: http://www.eserv.ru/eserv/
>
> Credit: USSRLABS
>
> SOLUTION
>
>     Nothing yet.