File Disclosure Vulnerability in Simple Web Server
10 Nov. 2002
Summary
As its name suggests, Peter Sandvik's Simple Web Server is a Linux-based web server. A security vulnerability in the product allows remote attackers to view the content of files even if they were supposed to be executed (such is in the case of CGIs).
Restricted files can be remotely accessed because of Simple Web Server's failure to properly handle malformed URL requests for said files. For example, if a standard URL to access a restricted file is http://server.com/secret/file, the altered URL http://server.com///secret/file will bypass any access control on that file, thereby granting unauthorized access to it.
Analysis:
The resulting damage from accessing restricted files on the web server is dependent on the actual file accessed and what kind of information is contained within. Simple Web Server is not a widely distributed web server, according to Netcraft.com. As such, the likelihood of widespread exploitation is unlikely.
Workaround:
Migrate to other supported web servers, being the software is no longer actively maintained.
Vendor response:
Peter Sandvik said he will suspend work on the project for now, being he "doesn't have time to work on it."
Disclosure timeline:
08/29/2002 Issue disclosed to iDEFENSE
09/25/2002 Maintainer, Peter Sandvik notified
09/25/2002 iDEFENSE clients notified
09/25/2002 Response received from Peter Sandvik (peter.sandvik@home.se)
09/26/2002 Started e-mail discussions regarding status of software support
10/31/2002 Last e-mail received regarding status of software support
11/08/2002 Public disclosure
