SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#124059

GoAhead Webserver information disclosure vulnerability

Overview

The GoAhead web server contains an information disclosure vulnerability that may allow an attacker to bypass authentication and view system configuration files or passwords. This issue was previously published under VU#975041.

I. Description

The GoAhead web server contains an information disclosure vulnerability. By sending the web interface a specially crafted URL, an attacker may be able to bypass authentication and view arbitrary system files.

II. Impact

An attacker may be able to view any file on the web server, including files that contain usernames and passwords.

III. Solution

The GoAhead webserver is not being actively maintained. Vendors who redistribute the GoAhead webserver may release updates to address this issue. See the systems affected section below for more information.

Limit network access

To prevent remote exploitation of this issue, administrators are encouraged to limit network access to vulnerable systems.

Systems Affected

VendorStatusDate NotifiedDate Updated
GoAhead Software, Inc.Vulnerable2009-02-05
Rockwell AutomationVulnerable2009-02-05

References


http://www.ab.com/networks/architectures.html
http://data.goahead.com/Software/Webserver/2.1.8/release.htm#bug-with-urls-like-asp
http://data.goahead.com/Software/Webserver/2.1.8/release.htm#security-features-can-be-bypassed-by-adding-an-extra-slash-in-the-url-bug01518
http://data.goahead.com/Software/Webserver/2.1.8/release.htm#bug-with-urls-like-asp
http://www.kb.cert.org/vuls/id/975041

Credit

Thanks to Daniel Peck of Digital Bond, Inc. for reporting this issue.

This document was written by Ryan Giobbi.

Other Information

Date Public:2003-12-02
Date First Published:2009-02-05
Date Last Updated:2009-02-06
CERT Advisory: 
CVE-ID(s): 
NVD-ID(s): 
US-CERT Technical Alerts: 
Metric:0.06
Document Revision:72

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2009 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader