COMMAND

    24Link Webserver

SYSTEMS AFFECTED

    24Link 1.06 Webserver

PROBLEM

    'phriction' found following.  A vulnerability was found in  24Link
    1.06  Web  Server   for  Windows  95/98/2000/NT   machines.    The
    vulnerability allows you to  view any password protected  files on
    the Web Server, provided that the Authorization - Check User  Name
    and Password-  On all  Requests option  wasn't chosen,  which asks
    for user name/password for every  request sent to the server.   If
    specific files are password protected, for example by default  the
    access.txt  log  file  is,  we  can  bypass the password prompt by
    putting one  of these  before the  filename in  the request to the
    server,

        /+/
        /./
        /+./
        /++/
        /++./

    or any of these and the ending  slash being two or more /'s up  to
    around 200.. for example http://24link.net/++//////protected.html

    For example 24Link has a default file password protected, the  log
    file  so   on  a   24Link  Server   we  would   send  a    request
    "GET  /+/access.txt  HTTP/1.0\r\n"  or  type  in  favorite browser
    http://24linkserver.com/+/access.txt   it    will    return    the
    access.txt.   And  works   on  any  other  specifically   password
    protected file or  directory, also by  default 24Link 1.06  allows
    directory listing which can lead to many a security compromise.

SOLUTION

    Vendor was contacted, but  there is no response.   If you have  to
    have sensitive information make  sure you uncheck allow  directory
    listings under  the options  menu and  choose the  Authorization -
    Check  User  Name  and  Password-  On  all  Requests  option or in
    2000/NT setting up rights so those files are not world-readable.