Tinyweb 1.92

GovernmentSecurity.org > The Archives > Exploit Articles

qcred11

Jun 1 2004, 02:47 PM

QUOTE

====================================
GSSIT - Global Security Solution IT
====================================

-------------------------------------------------------

Application: TinyWEB Server
Web Site: http://www.ritlabs.com/tinyweb/
Versions: 1.92
Platform: Windows

Credits:
########

#########################################
# == Ziv Kamir == #
# #
# GSSIT - Global Security Solution IT #
# #
# Email : gss_it@yahoo.com #
# #
# #
#########################################

---------------------

1) Introduction
2) Bug
3) The Code
4) Fix

================
1) Introduction
================

TinyWeb is extremely small (executable file size is 53K), simple (no configuration other than through
the command line) and fast (consumes
minimum of system resources) Win32 daemon for regular (TCP/http) and secure (SSL/TLS/https) web serv
ers.

=======
2) Bug
=======

Download Scripts from /cgi-bin/ Folder.

===========
3) The Code
===========

Remote user can issue an HTTP GET request for /cgi-bin/./[Script Name] To download it.

======
4) Fix
======

Date of Vendor Notification:
----------------------------

26 / 05 / 04

Response:
---------
No response

ComSec

Jun 1 2004, 03:18 PM

.. can you please post were it came from and the link.... yet again i have to ask !!

like secunia , bugtraq , securitytracker ...so we can follow them up

qcred11

Jun 2 2004, 12:46 AM

Sorry chief I got it by email... Don't have a source link

OOps, I found the link on a same vulnerability on a SecurityTracker if anybody interested:
http://www.securitytracker.com/alerts/2004/May/1010346.html

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.