Tamer Şahin / tamersahin.com

Falcon Web Server Unauthorized File Disclosure Vulnerability

Type

File Disclosure

Release Date

May 27, 2002

Product / Vendor

Falcon Web Server is a desktop web server capable of running a small / medium website with a typical load of up to 50-80 hits per minute. The server has the ability to execute ISAPI and WinCGI applications from virtual directories.

http://www.blueface.com

Summary

Due to a flaw in Falcon Web Server 2.0 for Windows, it is possible for a user to gain read access of known password protected files residing on a Falcon Web Server host.

http://host/protectedfolder./

Tested

Windows 2000 / Falcon Web Server 2.0.0.1021
Windows 2000 / Falcon Web Server 2.0.0.1021 SSL Edition

Vulnerable

Falcon Web Server 2.0.0.1021
Falcon Web Server 2.0.0.1021 SSL Edition

Disclaimer

http://www.securityoffice.net is not responsible for the misuse or illegal use of any of the information and/or the software listed on this security advisory.

Author

Tamer Sahin
ts(at)securityoffice.net
http://www.securityoffice.net