Name: VisNetic WebSite Path Disclosure Vulnerability Date: 2nd of July 2003 Software affected: VisNetic WebSite 3.5, Service release 17 (prior versions are vulnerable) Advisory: http://www.krusesecurity.dk/advisories/vis0103.txt Vendor: http://www.deerfield.com/download/visnetic_website/ Risk: Low/Medium Vendor Description: VisNetic Website, the first web server developed specifically for Windows, can use almost any development platform, and includes features that allow web developers to create powerful, flexible web sites. VisNetic WebSite is a secure windows-based web server that supports multiple domains, and allows TLS/SSL secured domains. This web server also includes support for a user database that can restrict access to content, and is immune to many of the security issues that may arise with other popular web servers. Problem: When requesting a certain file from the vti-bin folder from Visnetic Website, a folder that doesn't exist, the error message returned will reveal the absolute local path of the web folder on the target host's filesystem. POC (simpel, eh?): http://www.somehost.com/_vti_bin/fpcount.exe/ will return the following error (including the local path of the installed webpage): -> 500 Server Error The server encountered an error and was unable to complete your request. Message: Empty output from CGI program c:/localpath/_vti_bin/fpcount.exe Please contact the server administrator at postmaster@somehost.com and inform them of the time the error occured, plus anything you know of that may have caused the error. <- As you can see, the data returned by Visnetic Website, includes information about the local filesystem, that could be misused to gain sensitive information about the configuration of the Remote host. Solution: The problem should, according to Visnetic, have been resolved in the latest build of VisNetic WebSite that is available on the Visnetic Website download page. This I canīt confirm. The update can be downloaded from the Visnetic WebSite administration console, support tab, check for updates (at the bottom of the tab). Kind regards Peter Kruse Kruse Security http://www.krusesecurity.dk