Vulnerability Note VU#124059
GoAhead WebServer information disclosure and authentication bypass vulnerabilities
Overview
GoAhead WebServer contains vulnerabilities that may allow an attacker to view source files containing sensitive information or bypass authentication. The information disclosure vulnerability was previously published as VU#975041.
Description
GoAhead WebServer contains vulnerabilities handling file requests. By sending the web server a specially crafted URL, an attacker may be able to view the source files containing sensitive information or bypass authentication. GoAhead WebServer has a history of source file disclosure vulnerabilities. |
Impact
An attacker may be able to view any file on the web server, including files that contain sensitive information like usernames and passwords. An attacker may also be able to bypass authentication for protected files. |
Solution
Release notes for GoAhead WebServer 2.1.8 indicate that these vulnerabilities have been addressed. GoAhead WebServer is not being actively maintained. Vendors who redistribute GoAhead WebServer or include it in other products may release updates to address these vulnerabilities. Vendors who have modified GoAhead WebServer may or may not be affected. See the Systems Affected section below for more information. GoAhead WebServer 2.1.8 on the Microsoft Windows platform remains vulnerable to source file disclosure. |
|
Systems Affected (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| GoAhead Software, Inc. | Affected | - | 22 Jun 2010 |
| Rockwell Automation | Affected | - | 29 Dec 2009 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
- http://www.ab.com/networks/architectures.html
- http://data.goahead.com/Software/Webserver/2.1.8/release.htm#bug-with-urls-like-asp
- http://data.goahead.com/Software/Webserver/2.1.8/release.htm#security-features-can-be-bypassed-by-adding-an-extra-slash-in-the-url-bug01518
- http://www.kb.cert.org/vuls/id/975041
- http://www.nerc.com/fileUploads/File/Events%20Analysis/A-2009-02-13-01.pdf
- http://rockwellautomation.custhelp.com/app/answers/detail/a_id/57729
- http://aluigi.altervista.org/adv/goahead-adv3.txt
- http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=goahead+web+server
- http://www.exploit-db.com/exploits/12815/
Credit
Thanks to Daniel Peck of Digital Bond, Inc. for reporting this issue.
This document was written by Ryan Giobbi.
Other Information
- CVE IDs: CVE-2002-1603
- Date Public: 17 Dec 2002
- Date First Published: 05 Feb 2009
- Date Last Updated: 22 Jun 2010
- Severity Metric: 0.06
- Document Revision: 81
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.