COMMAND

    Falcon Web Server

SYSTEMS AFFECTED

    Windows 95/98/NT running BlueFace's Falcon Web Server version 1.0.0.1006.

PROBLEM

    Following is based on BindView Security Advisory (Andrew  Reiter).
    Falcon  Web  Server  suffers  from  a  path parsing problem, which
    allows  a  remote  user  to  escape  out of the webroot directory.
    Also,  the  web  server  gives  up  information  about itself when
    certain filenames are requested.

    The  Falcon  Web  Server  (FWS)  is  a fully functional web server
    meant for running  on desktop computers,  handling about 50  to 80
    hits per  minute.   The Falcon  Web Server  is plagued  by a  path
    parsing bug  which has  affected other  web servers  in the  past,
    such as  old IIS  and Apache.  This bug  allows a  remote user  to
    "break out" of the webroot  directory, where the web server  runs,
    and browse  directories and/or  download files  from areas outside
    of the webroot directory.  The default settings of the web  server
    allow browsing  of directories  and reading  of files  outside the
    webroot directory.   Users can disable  this "feature."   If it is
    disabled, one  can still  read the  files, but  the complete  path
    must be known  to the attacker.   FWS also has  a bug in  handling
    long file name requests, in which it will give up the location  of
    the  webroot  directory.   This  can  be  used  as  a  information
    gathering technique for further attacking of the machine.

    Remote users have  the ability to  view directory paths,  download
    files (depending on permissions),  and may use this  to compromise
    the web server.

SOLUTION

    Falcon Web Server version 1.0.0.1008 fixes the vulnerabilities and
    is available at:

        http://www.blueface.com/products.html#fws