Liteserve Web Server v2.0 Authorization Bypass Vulnerability

Type

File Disclosure

Release Date

October 24, 2002

Product / Vendor

LiteServe is a powerful, full-featured Web, EMail and FTP server. This server software is perfect for personal websites or commercial sites with high traffic demands and multiple domains. All the services that you need work together efficiently in one program to provide you with a feature-packed server solution that is easy to setup, manage, and monitor.

http://www.cmfperception.com

Summary

It is possible to construct a web request which is capable of accessing the contents of password protected files/folders on the Liteserve Web Server v2.0. This vulnerability may only be exploited to access password-protected files in sub-folders of wwwroot.

http://host/./secret/

Tested

Windows 2000 Sp3 / Liteserve Web Server v2.0
Windows 98 SE / Liteserve Web Server v2.0

Vulnerable

Liteserve Web Server v2.0

Disclaimer

http://www.securityoffice.net is not responsible for the misuse or illegal use of any of the information and/or the software listed on this security advisory.

Author

Tamer Sahin
ts(at)securityoffice.net
http://www.securityoffice.net