Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Servers :: 24link.htm

24link Webserver - view password protected files

    24Link Webserver


    24Link 1.06 Webserver


    'phriction' found following.  A vulnerability was found in  24Link
    1.06  Web  Server   for  Windows  95/98/2000/NT   machines.    The
    vulnerability allows you to  view any password protected  files on
    the Web Server, provided that the Authorization - Check User  Name
    and Password-  On all  Requests option  wasn't chosen,  which asks
    for user name/password for every  request sent to the server.   If
    specific files are password protected, for example by default  the
    access.txt  log  file  is,  we  can  bypass the password prompt by
    putting one  of these  before the  filename in  the request to the


    or any of these and the ending  slash being two or more /'s up  to
    around 200.. for example

    For example 24Link has a default file password protected, the  log
    file  so   on  a   24Link  Server   we  would   send  a    request
    "GET  /+/access.txt  HTTP/1.0\r\n"  or  type  in  favorite browser   it    will    return    the
    access.txt.   And  works   on  any  other  specifically   password
    protected file or  directory, also by  default 24Link 1.06  allows
    directory listing which can lead to many a security compromise.


    Vendor was contacted, but  there is no response.   If you have  to
    have sensitive information make  sure you uncheck allow  directory
    listings under  the options  menu and  choose the  Authorization -
    Check  User  Name  and  Password-  On  all  Requests  option or in
    2000/NT setting up rights so those files are not world-readable.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH