[SecurityOffice] Falcon Web Server Unauthorized File Disclosure Vulnerability #2

[Tamer Sahin <ts () securityoffice net>]

--[ Falcon Web Server Unauthorized File Disclosure Vulnerability #2 ]--

--[ Type

File Disclosure

--[ Release Date

May 27, 2002

--[ Product / Vendor

Falcon Web Server is a desktop web server capable of running a small / 
medium website with a typical load of up to 50-80 hits per minute. The 
server has the ability to execute ISAPI and WinCGI applications from 
virtual directories.

http://www.blueface.com

--[ Summary

Due to a flaw in Falcon Web Server 2.0 for Windows, it is possible for a 
user to gain read access of known password protected files residing on a 
Falcon Web Server host.

http://host/protectedfolder./

--[ Tested

Windows 2000 / Falcon Web Server 2.0.0.1021
Windows 2000 / Falcon Web Server 2.0.0.1021 SSL Edition

--[ Vulnerable

Falcon Web Server 2.0.0.1021
Falcon Web Server 2.0.0.1021 SSL Edition

--[ Disclaimer

http://www.securityoffice.net is not responsible for the misuse or 
illegal use of any of the information and/or the software listed on this 
security advisory.

--[ Author

Tamer Sahin
ts () securityoffice net
http://www.securityoffice.net

All our advisories can be viewed at http://www.securityoffice.net/articles/

Please send suggestions, updates, and comments to 
feedback () securityoffice net

(c) 2002 SecurityOffice

This Security Advisory may be reproduced and distributed, provided that 
this Security Advisory is not modified in any way and is attributed to 
SecurityOffice and provided that such reproduction and distribution is 
performed for non-commercial purposes.

Tamer Sahin
http://www.securityoffice.net