24Link Webserver

[phriction <phric () LEGIONS ORG>]

24Link 1.06 Web Server
x
PROBLEM:

A vulnerability was found in 24Link 1.06 Web Server for Windows
95/98/2000/NT machines. The vulnerability allows you to view any password
protected files on the Web Server,  provided that the Authorization -
Check User Name and Password- On all Requests option wasn't chosen, which
asks for user name/password for every request sent to the server. If
specific files are password protected, for example by default the
access.txt log file is, I can bypass the password prompt by putting one of
these before the filename in the request to the server,

/+/
/./
/+./
/++/
/++./
or any of these and the ending slash being two or more /'s up to around
200.. for example http://24link.net/++//////protected.html

for example 24Link has a default file password protected, the log file so
on a 24Link Server  I would send a request "GET /+/access.txt
HTTP/1.0\r\n" or type in my favorite browser
http://24linkserver.com/+/access.txt it will return the access.txt. And works on any other
specifically password protected file or directory, also by default 24Link
1.06 allows directory listing which can lead to many a security
compromise.


FIXES:
I contacted the vendor over a week ago and still nothing back, I would
suggest if you need, absolutely need to use this web server do not store
private or sensitive information in the Sever Root directory tree. If you
have to have sensitive information make sure you uncheck allow directory
listings under the options menu and choose the Authorization - Check User
Name and Password- On all Requests option or in 2000/NT setting up rights
so those files are not world-readable (NOTE: I do not have an NT box to
install this server on and test it, this is just a suggestion, should be
tested first to make sure it works correctly).

DISCOVERY:
Legions of the Underground
Phriction
Phric () legions org