Home / os / win7

[remote exploits] - Visual Synapse HTTP Server v1.0 RC3 Dire

Posted on 07 October 2010

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Visual Synapse HTTP Server v1.0 RC3 Directory Traversal Vulnerability | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Visual Synapse HTTP Server v1.0 RC3 Directory Traversal Vulnerability by Felipe Aragon in remote exploits | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>=====================================================================
Visual Synapse HTTP Server v1.0 RC3 Directory Traversal Vulnerability
=====================================================================

Vendor URL: http://sourceforge.net/projects/visualsynapse/
Advisory URL: http://www.syhunt.com/advisories/?id=vs-httpd-dirtrav
 
The Common Vulnerabilities and Exposures (CVE) project has
assigned the following CVE to this vulnerability: CVE-2010-3743
 
----------------------------------------------------------------
 
Overview:
Visual Synapse HTTP Server is an open source HTTP server and
also server component for Delphi, Freepascal and C++ Builder
developed by Rene Tegel. The server supports PHP, Perl and CGI
and is distributed both as source and as precompiled binary.
 
Description:
A vulnerability in the Visual Synapse HTTP server allows remote
attackers to traverse directories on the system. This is
possible by sending a specially-crafted URL request containing
&quot;dot dot&quot; sequences (/..).
 
----------------------------------------------------------------
 
Details:
 
Example 1:
GET /........windows/system.ini HTTP/1.0
 
Example 2:
GET /......oot.ini HTTP/1.0
 
Note: the server was installed in the &quot;C:ServerVSHTTPD&quot;
directory.
 
Sandcat can also be used to identify this issue:
http://www.syhunt.com/sandcat
 
----------------------------------------------------------------
 
Vulnerability Status:
 
The vendor was notified, but no reply has been received.
 
The source code of the server warns about possible security
issues and that it is not suitable for production environments
yet. This warning must be taken seriously.
 
Any application using this source is vulnerable unless the code
is patched. Any machine running the compiled HTTPD Server demo
is vulnerable as well, unless the application is replaced with
an up-to-date and patched version.
 
----------------------------------------------------------------


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-10-07]</pre></body></html>

 

TOP

Malware :

Exploits :