KeyFocus KF Web Server File Disclosure Vulnerability
14 Nov. 2002
Summary
KeyFocus Web server is a Win32 HTTP server with web administration, a variety of logging formats, such as NCSA and W3C, CGI, compression, memory caching of static documents, directory indexing, pre-defined MIME settings, internal authentication with support for multiple realms, and a variety of URL checks that make it more secure against hacking attempts such as buffer overruns.
Credit:
The information has been provided by Matt Murphy.
KFWS contains a flaw that enables attackers to traverse above the webroot in the directory structure. This is not a traditional directory traversal attack. KFWS does not properly handle consecutive dot characters in the file name:
http://kfws/. - Current Directory
http://kfws/.. - 403 Forbidden
http://kfws/... - KFWS install dir (OOPS!)
http://kfws/.... - Program Files
http://kfws/..... - \
This vulnerability is limited by the internal hack defenses of the server -- only files with recognized MIME types can be retreived. This significantly limits the damage from this vulnerability.
Solution:
KFWS v2.0.0 (Beta) eliminates this vulnerability, and the next stable version will eliminate the flaw as well. Administrators who are concerned about this flaw should upgrade to the beta.
