InterVations NaviCOPA Web Server 3.0.1.2 and earlier allows remote attackers to obtain the source code for a web page via a trailing encoded space character in a URI, as demonstrated by /index.html%20 and /index.php%20 URIs.
NaviCOPA Web Server versions 3.0.1.2 and earlier are vulnerable to a critical information disclosure flaw. Attackers can remotely retrieve the source code of web pages, potentially exposing sensitive information like credentials, database connection strings, and application logic, leading to complete system compromise. This vulnerability allows for easy reconnaissance and can be leveraged for further attacks, including remote code execution and data exfiltration.
Step 1: Target Identification: The attacker identifies a NaviCOPA Web Server instance running a vulnerable version (3.0.1.2 or earlier).
Step 2: Crafting the Request: The attacker constructs a malicious HTTP GET request targeting a known web page, appending a trailing encoded space (%20) to the URI (e.g., /index.html%20).
Step 3: Request Submission: The attacker sends the crafted HTTP request to the vulnerable web server.
Step 4: Server Processing: The NaviCOPA web server receives the request and attempts to locate the requested file, but fails to properly handle the trailing encoded space.
Step 5: Source Code Disclosure: Instead of rendering the webpage, the server returns the source code of the requested file (e.g., index.html) in the HTTP response.
The vulnerability stems from an improper handling of URI parsing within the NaviCOPA web server. Specifically, the server fails to correctly sanitize or reject trailing encoded space characters (%20) in the requested URI. When a request like /index.html%20 is received, the server likely attempts to locate the file without properly stripping or ignoring the encoded space. This leads to the server returning the source code of the requested file instead of rendering the webpage. The root cause is likely a missing or inadequate input validation routine that fails to account for the encoded space character. This allows an attacker to bypass security checks and gain unauthorized access to sensitive information. The flaw is not a buffer overflow or a race condition, but a simple input validation failure.