Multiple Vulnerabilities in Minihttp's Forum Web Server

ReportedMarch 9, 2003, by Dennis Rand.

VERSIONS AFFECTED

DESCRIPTION

Threevulnerabilities exist in Minihttp’s Forum WebServer version 1.60. The first allows a potential attacker to accessfiles that reside outside the restricted area of the server. The second allowsthe insert of malicious HTML and JavaScript into existing web pages (Cross SiteScripting). The third makes it possible to steal the username and password ofother users.

DEMONSTRATION

The discover posted the following scenarios as proof of concept:

DirectoryTraversal:
Within the FileSharing area, press the "Upload new file" button, nowin the upload field write:

c$winntrepairsam._

This will now be "uploaded" to the area where you selected.

XSS:
When posting or replying to a message in the "Message Forum" it ispossible to exploit an XSS vulnerability. The vulnerability exists in both inthe Subject and Message property.

Example:
Insert this into either Subject or Message property:
< script>alert('I OwN You');
< img%20src=javascript:alert(document.domain)>
< script>alert(document.cookie)
< script>window.open('http://www.infowarfare.dk')

Information leak:
Using the Traversal vulnerability it is possible to get the whole username andpassword file used by the Forum Web Server. This is done by simply supplying thefollowing "upload file": \c$program Fileswebforums serveruser.ini. The usernames and passwords themselves are stored inclear text.

VENDOR RESPONSE

The vendor, Minhttphas released a version 1.61, which not vulnerable to this condition.

CREDIT          

Discoveredby Dennis Rand.