Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Servers :: bt540.txt

VisNetic WebSite Path Disclosure Vulnerability

Name: VisNetic WebSite Path Disclosure Vulnerability=20
Date: 2nd of July 2003=20
Software affected: VisNetic WebSite 3.5, Service release 17=20
(prior versions are vulnerable)=20
Risk: Low/Medium

Vendor Description:=20

VisNetic Website, the first web server developed specifically for
can use almost any development platform, and includes features that
web developers to create powerful, flexible web sites. VisNetic WebSite=20
is a secure windows-based web server that supports multiple domains, and
allows TLS/SSL secured domains. This web server also includes support
a user database that can restrict access to content, and is immune to=20
many of the security issues that may arise with other popular web


When requesting a certain file from the vti-bin folder from Visnetic=20
Website, a folder that doesn't exist, the error message returned will
the absolute local path of the web folder on the target host's

POC (simpel, eh?):

will return the following error=20
(including the local path of the installed webpage):=20


500 Server Error=20

The server encountered an error and was unable to complete your request.

Message: Empty output from CGI program c:/localpath/_vti_bin/fpcount.exe

Please contact the server administrator at and
inform them=20
of the time the error occured, plus anything you know of that may have
caused the error.=20


As you can see, the data returned by Visnetic Website, includes
information about the=20
local filesystem, that could be misused to gain sensitive information
about the=20
configuration of the Remote host.=20

The problem should, according to Visnetic, have been resolved in the
latest build of=20
VisNetic WebSite that is available on the Visnetic Website download
This I can=B4t confirm.

The update can be downloaded from the Visnetic WebSite administration
console, support=20
tab, check for updates (at the bottom of the tab).=20

Kind regards

Peter Kruse
Kruse Security

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH