Falcon Web Server Authentication Circumvention Vulnerability

[Strumpf Noir Society <vuln-dev () labs secureance com>]

Strumpf Noir Society Advisories
! Public release !
<--#


-= Falcon Web Server Authentication Circumvention Vulnerability =-

Release date: Wednesday, February 13, 2002


Introduction:

Falcon Web Server is a ISAPI and WinCGI supporting web server running
on the Microsoft Windows OS's.

Falcon Web Server is available from vendor BlueFace's web site:
http://www.blueface.com


Problem:

Falcon Web Server supports virtual directory mapping and allows the
server administrator to use a user-authentication scheme to protect
the content of these directories. Due to a problem in the parsing
of requests made to said directories however, it is possible to
circumvent this authentication scheme and access any file in a
protected directory without supplying the proper credentials.

This can be done through adding an additional backslash at the beginning
of the virtual path. For example, the server comes with one such path
to a directory 'test' pre-configured, which requires authentication to
be accessed. A direct request to this directory ('http://server/test/&apos;)
without supplying the proper credentials will return a 401 Unauthorized
error. Requesting the same directory as 'http://server//test/&apos; however,
will allow the user access without authenticating.


(..)


Solution:

Vendor has been notified and has adressed this issue by releasing build
2.0.0.1021 for the Falcon Web Server Standard and SSL editions. This has
been tested against Falcon Web Server builds 2.0.0.1009 and 2.0.0.1020
on Win2k.


yadayadayada

SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html) 
compliant, all information is provided on AS IS basis.

EOF, but Strumpf Noir Society will return!