CERT home
vulnerabilities & fixesevaluations & practicesresearch & analysistraining & education
homesearchFAQsite indexcontact
Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information
 

 View Notes By
Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric

Vulnerability Note VU#124059

GoAhead WebServer information disclosure and authentication bypass vulnerabilities

Overview

GoAhead WebServer contains vulnerabilities that may allow an attacker to view source files containing sensitive information or bypass authentication. The information disclosure vulnerability was previously published as VU#975041.

I. Description

GoAhead WebServer contains vulnerabilities handling file requests. By sending the web server a specially crafted URL, an attacker may be able to view source files containing sensitive information or bypass authentication.

II. Impact

An attacker may be able to view any file on the web server, including files that contain sensitive information like usernames and passwords. An attacker may also be able to bypass authentication for protected files.

III. Solution

Release notes for GoAhead WebServer 2.1.8 indicate that these vulnerabilities have been addressed. GoAhead WebServer is not being actively maintained. Vendors who redistribute GoAhead WebServer may release updates to address this issue. See the Systems Affected section below for more information.

Limit network access

To prevent remote exploitation of this issue, administrators are encouraged to limit network access to vulnerable systems.

Systems Affected

VendorStatusDate Updated
GoAhead Software, Inc.Vulnerable2009-02-05
Rockwell AutomationVulnerable2009-12-29

References


http://www.ab.com/networks/architectures.html
http://data.goahead.com/Software/Webserver/2.1.8/release.htm#bug-with-urls-like-asp
http://data.goahead.com/Software/Webserver/2.1.8/release.htm#security-features-can-be-bypassed-by-adding-an-extra-slash-in-the-url-bug01518
http://www.kb.cert.org/vuls/id/975041
http://www.nerc.com/fileUploads/File/Events%20Analysis/A-2009-02-13-01.pdf
http://rockwellautomation.custhelp.com/app/answers/detail/a_id/57729
http://aluigi.altervista.org/adv/goahead-adv3.txt

Credit

Thanks to Daniel Peck of Digital Bond, Inc. for reporting this issue.

This document was written by Ryan Giobbi.

Other Information

Date Public12/17/2002
Date First Published02/05/2009 08:36:21 AM
Date Last Updated01/11/2010
CERT Advisory 
CVE NameCVE-2002-1603
Metric0.06
Document Revision78

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

Copyright 2009 Carnegie Mellon University