COMMAND

    SimpleServer:WWW

SYSTEMS AFFECTED

    SimpleServer:WWW 1.06 (and possibly previous versions)

PROBLEM

    Following  is  based  on  a  Foundstone  by  Robin Keir and Stuart
    McClure.  AnalogX SimpleServer:WWW  is a simple but  effective web
    server designed  for the  home or  small business  user.  Its main
    claim is ease of use and setup.

    SimpleServer is vulnerable to  a "relative directory path"  attack
    that allows  a remote  user to  retrieve any  known file  from the
    file system of the  server on which it  is hosted.  In  normal use
    SimpleServer protects against accessing files above the  directory
    in which the server is installed.  It has been proven to correctly
    deny access when using URLs of the following format:

        http://www.victim.com/../file.dat

    However, by substituting the dot characters with their  equivalent
    hexadecimal URL encoded format of %2E this restriction is removed,
    giving the  attacker full  read access  to any  file on the remote
    system.

    A HTTP request of the form

        http://www.victim.com/%2E%2E/file.dat

    will succeed in retrieving the file "file.dat" from one  directory
    level above the server root directory if it exists.  Using similar
    URL requests it has been shown  that any known file on the  system
    can be retrieved.  For example, assuming the default  installation
    location of SimpleServer a request of the form:

        http://www.victim.com/%2E%2E/%2E%2E/windows/user.dat

    would retrieve the remote users registry file from a Windows 95/98
    machine  and  this  would   highly  likely  contain   confidential
    information.

    Another example  here shows  that it  is possible  to retrieve the
    log files from the web server directory itself:

        http://www.victim.com/%2E%2E/%2E%2E/Program%20Files/AnalogX/SimpleServer/www/server.log

SOLUTION

    Download SimpleServer:www version 1.07 from

        http://www.analogx.com/contents/download/network/sswww.htm

    Prelimiary  tests  of  the  fix  by  Foundstone have confirmed the
    problem is corrected.