90585 2003-02-12  22:36  /44 rader/ thomas adams <tgadams@bellsouth.net>
Importerad: 2003-02-12  22:36  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3484>
Ärende: Abyss WebServer Brute Force Vulnerability
------------------------------------------------------------


Abyss WebServer Brute Force Vulnerability

Package:		Abyss WebServer 
Vendor Web Site:	http://www.aprelium.com
Versions:		All versions <= v1.1.2
Platforms:		Linux, Windows
Local:			No
Remote:	         	Yes
Fix Available:		No(fix in progress)
Vendor Contacted:	Sunday, February 09, 2003 6:12 PM
Advisory Author:	thomas adams(tgadams@bellsouth.net)



Background: Abyss Web Server is a free, easily configured web server
designed for  Windows and Linux operating systems. The vendor,
Aprelium, targets small  businesses and personal use with this "fast,
small and easy to use"  server. The main feature is a remote web
management interface where a user  can configure the server in a
matter of minutes.


Exploit: By connecting to the remote web management interface at
http://abyss_server:9999 an attacker can use a brute-force method to
gain  access to the server. There is no delay in a wrong attempt and
attackers are given an indefinite number of attempts at entering a
valid user and  password. Unlike the access.log file for port 80,
Abyss has no logging for  port 9999. This allows an attacker to
perform unseen.


Vendor Response:  Aprelium was notified and will soon release an
updated version of the  server to include a fix for the brute-force
attack and logging of port  9999. The vendor was also notified of
several directories and files having write priviledges. It was agreed
that a user should set permissions  themselves, but there is no
documentation telling a user what has write  access by
default. Aprelium has also decided to add a fix for the default
permissions of directories and files.
(90585) /thomas adams <tgadams@bellsouth.net>/(Ombruten)