Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Abyss WebServer Brute Force Vulnerability

Abyss WebServer Brute Force Vulnerability

by Nikola Strahija on February 13th, 2003 By connecting to the remote web management interface at http://abyss_server:9999 an attacker can use a brute-force method to gain access to the server.


Package: Abyss WebServer
Vendor Web Site: http://www.aprelium.com
Versions: All versions <= v1.1.2
Platforms: Linux, Windows
Local: No
Remote: Yes
Fix Available: No(fix in progress)
Vendor Contacted: Sunday, February 09, 2003 6:12 PM
Advisory Author: thomas adams([email protected])



Background:
Abyss Web Server is a free, easily configured web server designed for
Windows and Linux operating systems. The vendor, Aprelium, targets small
businesses and personal use with this "fast, small and easy to use"
server. The main feature is a remote web management interface where a user
can configure the server in a matter of minutes.


Exploit:
By connecting to the remote web management interface at
http://abyss_server:9999 an attacker can use a brute-force method to gain
access to the server. There is no delay in a wrong attempt and attackers
are given an indefinite number of attempts at entering a valid user and
password. Unlike the access.log file for port 80, Abyss has no logging for
port 9999. This allows an attacker to perform unseen.


Vendor Response:
Aprelium was notified and will soon release an updated version of the
server to include a fix for the brute-force attack and logging of port
9999. The vendor was also notified of several directories and files
having write priviledges. It was agreed that a user should set permissions
themselves, but there is no documentation telling a user what has write
access by default. Aprelium has also decided to add a fix for the default
permissions of directories and files.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »