Abyss WebServer Brute Force Vulnerability Package: Abyss WebServer Vendor Web Site: http://www.aprelium.com Versions: All versions <= v1.1.2 Platforms: Linux, Windows Local: No Remote: Yes Fix Available: No(fix in progress) Vendor Contacted: Sunday, February 09, 2003 6:12 PM Advisory Author: thomas adams(tgadams@bellsouth.net) Background: Abyss Web Server is a free, easily configured web server designed for Windows and Linux operating systems. The vendor, Aprelium, targets small businesses and personal use with this "fast, small and easy to use" server. The main feature is a remote web management interface where a user can configure the server in a matter of minutes. Exploit: By connecting to the remote web management interface at http://abyss_server:9999 an attacker can use a brute-force method to gain access to the server. There is no delay in a wrong attempt and attackers are given an indefinite number of attempts at entering a valid user and password. Unlike the access.log file for port 80, Abyss has no logging for port 9999. This allows an attacker to perform unseen. Vendor Response: Aprelium was notified and will soon release an updated version of the server to include a fix for the brute-force attack and logging of port 9999. The vendor was also notified of several directories and files having write priviledges. It was agreed that a user should set permissions themselves, but there is no documentation telling a user what has write access by default. Aprelium has also decided to add a fix for the default permissions of directories and files.