Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Servers :: amls~1.htm

Air Messenger LAN Server HTTP Interface Directory Traversal Attack





    Following is  based on  a Strumpf  Noir Society  Advisories.   Air
    Messenger LAN  Server is  a paging  gateway server  for MS Windows
    that allows you to send  and recieve messages to a  paging network
    over a TCP/IP LAN to phones, pagers and e-mail.

    AMLServer Directory Traversal Problem
    AMLServer's  "Webpaging"  http  interface  is  susceptible  to   a
    directory traversal  attack.   Adding the  string "../"  to a  URL
    allows  an  attacker  access  to  files outside of the webserver's
    publishing directory.  This allows read access to any file on  the

    AMLServer Plaintext Password Storage
    A  second   problem  is   found  in   the  file   pUser.Dat.   All
    username/password combinations applicable to the various  services
    provided by AMLServer are stored in this file in plaintext.

    AMLServer Path Disclosure
    The mentioned userfile is  stored in the server's  main directory.
    The exact location can  be obtained exploiting another  problem in
    the web interface, a path  disclosure bug.  The http-header  field
    'Location' contains the full path to servermaindir/Messages.

    For example:

        $ telnet target 80|grep Location

        Location: http://C:\PROGRA~1\ISS\AIRMES~1\Messages
        Connection closed by foreign host.

    This was tested against AMLServer 3.4.2 on Win2k.


    Vendor has been  notified and has  expressed the intention  to fix
    these problems in version 4.   Unfortunately, at the time of  this
    advisory the vendor wasn't able  to supply us with an  approximate
    date for this "fixed" release so  we have not been able to  verify

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH