Falcon Web Server

[advisory+falcon () BOS BINDVIEW COM (Advisory)]

BindView Security Advisory

Falcon Web Server Technical Advisory

Issue date:  10/24/99
Contact:  Andrew Reiter <areiter () bos bindview com>

Topic
-----

Falcon Web Server suffers from a path parsing problem, which allows a
remote user to escape out of the webroot directory.  Also, the web
server gives up information about itself when certain filenames are
requested.

Affected Systems
----------------

Windows 95/98/NT running BlueFace's Falcon Web Server version 1.0.0.1006.

Overview
--------

The Falcon Web Server (FWS) is a fully functional web server meant for
running on desktop computers, handling about 50 to 80 hits per minute.
The Falcon Web Server is plagued by a path parsing bug which has
affected other web servers in the past, such as old IIS and Apache. This
bug allows a remote user to "break out" of the webroot directory, where
the web server runs, and browse directories and/or download files from
areas outside of the webroot directory.

The default settings of the web server allow browsing of directories and
reading of files outside the webroot directory.  Users can disable this
"feature."  If it is disabled, one can still read the files, but the
complete path must be known to the attacker.

FWS also has a bug in handling long file name requests, in which it will
give up the location of the webroot directory.  This can be used as a
information gathering technique for further attacking of the machine.

Impact
------

Remote users have the ability to view directory paths, download files
(depending on permissions), and may use this to compromise the web server.

Appendix A, Software Information
--------------------------------

Falcon Web Server
        FWS version 1.0.0.1008 fixes the vulnerabilities and is
        available at:
        http://www.blueface.com/products.html#fws


--