Reported March 9, 2003, by Dennis Rand.

 

 

VERSIONS AFFECTED

 

  • Minihttp’s Forum Web Server version 1.60

 

DESCRIPTION

 

Three vulnerabilities exist in Minihttp’s Forum Web Server version 1.60. The first allows a potential attacker to access files that reside outside the restricted area of the server. The second allows the insert of malicious HTML and JavaScript into existing web pages (Cross Site Scripting). The third makes it possible to steal the username and password of other users.

 

 

DEMONSTRATION

 

The discover posted the following scenarios as proof of concept:

 

Directory Traversal:
Within the FileSharing area, press the "Upload new file" button, now in the upload field write:

<I?\\<VULN host>\c$\winnt\repair\sam._

This will now be "uploaded" to the area where you selected.

XSS:
When posting or replying to a message in the "Message Forum" it is possible to exploit an XSS vulnerability. The vulnerability exists in both in the Subject and Message property.

Example:
Insert this into either Subject or Message property:
< script>alert('I OwN You');</script>
< img%20src=javascript:alert(document.domain)>
< script>alert(document.cookie)</script>
< script>window.open('http://www.infowarfare.dk')</script>

Information leak:
Using the Traversal vulnerability it is possible to get the whole username and password file used by the Forum Web Server. This is done by simply supplying the following "upload file": \\<vuln-host>\c$\program Files\web forums server\user.ini. The usernames and passwords themselves are stored in clear text.

 

VENDOR RESPONSE

 

The vendor, Minhttp has released a version 1.61, which not vulnerable to this condition.

 

CREDIT          

Discovered by Dennis Rand.