Title: Abyss Web Server Authentication Bypass Vulnerability
Severity: HIGH
Description:
Abyss Web Server is a freely available personal web server. It is maintained by Aprelium Technologies and runs on Microsoft Windows operating systems, as well as Linux.
A vulnerability has been reported to exist in the software that may allow a remote attacker to bypass authentication in order to access the resources. It has been reported that this issue only presents itself if the server is installed on a Linux system running FAT32. An attacker may access the password protected directory under which the server is running by adding a period as '.' or '%2e' at the end of a URL request. It has also been reported that adding a space ' ' or colon ':' to a URL may have the same affect, however it may also just cause a 404 server error.
Successful exploitation of this issue may allow an attacker to bypass authentication and gain access to server resources in order to launch further attacks.
Abyss Web Server versions prior to 1.2 have been reported prone to this issue.
Affected Products:
- Aprelium Technologies Abyss Web Server 1.0.0
- Aprelium Technologies Abyss Web Server 1.0.3
- Aprelium Technologies Abyss Web Server 1.0.7
- Aprelium Technologies Abyss Web Server 1.1.2
- Aprelium Technologies Abyss Web Server 1.1.4
- Aprelium Technologies Abyss Web Server 1.1.6 Beta
References:
- Aprelium Technologies: Abyss Web Server Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
