Strumpf Noir Society Advisories ! Public release ! <--# -= Falcon Web Server Authentication Circumvention Vulnerability =- Release date: Wednesday, February 13, 2002 Introduction: Falcon Web Server is a ISAPI and WinCGI supporting web server running on the Microsoft Windows OS's. Falcon Web Server is available from vendor BlueFace's web site: http://www.blueface.com Problem: Falcon Web Server supports virtual directory mapping and allows the server administrator to use a user-authentication scheme to protect the content of these directories. Due to a problem in the parsing of requests made to said directories however, it is possible to circumvent this authentication scheme and access any file in a protected directory without supplying the proper credentials. This can be done through adding an additional backslash at the beginning of the virtual path. For example, the server comes with one such path to a directory 'test' pre-configured, which requires authentication to be accessed. A direct request to this directory ('http://server/test/') without supplying the proper credentials will return a 401 Unauthorized error. Requesting the same directory as 'http://server//test/' however, will allow the user access without authenticating. (..) Solution: Vendor has been notified and has adressed this issue by releasing build 2.0.0.1021 for the Falcon Web Server Standard and SSL editions. This has been tested against Falcon Web Server builds 2.0.0.1009 and 2.0.0.1020 on Win2k. yadayadayada SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html) compliant, all information is provided on AS IS basis. EOF, but Strumpf Noir Society will return!
