Philip Curnow's LocalWEB2000 is an HTTP server for Microsoft Corp.'s Windows operating system. Due to inadequate security permissions and improper handling the product's stored passwords can be easily retrieved.
Vulnerable systems:
* LocalWEB2000 Professional version 2.1.0
Issuing a URL request such as http://localweb.http.server/users.lst to a vulnerable LocalWEB 2000 server can allow access to the plaintext password file stored within (this is the document root directory, i.e. C:\Program Files\LocalWEB\users.lst).
Analysis:
Access to the password file allows an attacker to potentially gain access to all protected virtual directories on an affected LocalWEB 2000 server.
Workaround:
Under LocalWEB's configuration settings, change the document root virtual directory to a less predictable folder.
Vendor response:
Curnow said he is unable to currently support the current release of LocalWEB 2000.
Disclosure timeline:
08/29/2002 Issue disclosed to iDEFENSE
09/24/2002 Author notified (philip@curnow37.freeserve.co.uk)
09/25/2002 Response from Author
09/25/2002 iDEFENSE clients notified
09/25/2002 - 12/10/2002 iDEFENSE and Author Communication
12/16/2002 Public Disclosure
