wp-02-0001.txt

wp-02-0001.txt: Posted Jul 11, 2002; Authored by Matt Moore | Site westpoint.ltd.uk; Westpoint Security Advisory wp-02-0001 - The GoAhead Web Server v2.1 for Windows NT/98/95/CE, Embedded Linux, Netware, and others contains directory traversal and cross site scripting vulnerabilities. Exploit URL's included.; tags | web, vulnerability, xss; systems | linux, windows; SHA-256 | 3e2b101f0ae13c006aead327c7e7c21f64f42fc6791980b2cd6bb6c96186df8d; Download | Favorite | View

wp-02-0001.txt

Westpoint Security Advisory

Title:    GoAhead Web Server Directory Traversal + Cross Site Scripting    
Risk Rating:   Medium
Software:   GoAhead Web Server v2.1  
Platforms:   Windows NT/98/95/CE        
    Embedded Linux
    Linux
    QNX
    Novell Netware + others

Vendor URL:   www.goahead.com/webserver/webserver.htm
Author:    Matt Moore <matt@westpoint.ltd.uk>
Date:    10th July 2002
Advisory ID#:  wp-02-0001 

Overview: 
=========
GoAhead is an open source 'embedded' web server. Apparently used in various
networking devices from several blue chip companies. 

(http://www.goahead.com/webserver/customers.htm)

Details: 
========

Cross Site Scripting via 404 messages.
--------------------------------------

GoAhead quotes back the requested URL when responding with a 404. Hence it
is possible to perform cross-site scripting attacks, e.g:

GoAhead-server/SCRIPTalert(document.domain)/SCRIPT

Read arbitrary files from the server running GoAhead(Directory Traversal)
-------------------------------------------------------------------------

GoAhead is vulnerable to a directory traversal bug. A request such as 

GoAhead-server/../../../../../../../ results in an error message
'Cannot open URL'. 

However, by encoding the '/' character, it is possible to break out of the
web root and read arbitrary files from the server. 
Hence a request like:

GoAhead-server/..%5C..%5C..%5C..%5C..%5C..%5C/winnt/win.ini returns the
contents of the win.ini file.

Vendor Response:
================
I was unable to obtain any response from GoAhead technical support regarding
the identified issues.

Patch Information:
==================
No vendor response, so unsure if fixed version available.

Security History:
=================

http://www.securiteam.com/securitynews/5QP010U3FS.html - Directory Traversal
http://www.securiteam.com/securitynews/5IP0E2K41I.html - Denial of Service
http://www.securiteam.com/windowsntfocus/5LP040A3RS.html - Denial of Service

This advisory is available online at:

http://www.westpoint.ltd.uk/advisories/wp-02-0001.txt

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 87 files
Gentoo 31 files
Debian 21 files
tmrswrr 10 files
Sina Kheirkhah 7 files
Rodolfo Tavares 4 files
bRpsd 4 files
Google Security Research 3 files
Jann Horn 3 files

File Archives

Systems

AIX (429)
Apple (2,090)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,078)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,531)
HPUX (880)
iOS (376)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,350)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,266)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,658)
UNIX (9,425)
UnixWare (187)
Windows (6,666)
Other

wp-02-0001.txt

wp-02-0001.txt

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

wp-02-0001.txt

Share This

wp-02-0001.txt

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems