"The aim of pServ (pico Server) is to create a portable, small
webserver.
Coded in portable C with Unix being the main reference platform, but
porting is encouraged. Portability and small footprint should enable
the use of pServ on a workstation as well as."
The program, by default, has an anti-directory traversal check, but
this check can be easily bypassed using the double slash ("//") into
the http requests.
To fix the bug simply go on the pserv's official website,
http://sourceforge.net/projects/pserv, and download the latest version
of pserv (see also in CVS).
Or, if you want, you can use my following little patch, that should fix
the bug for the version 3.0b2 of Pserv:
Donato Ferrante
Application: PSERV - the small web server
http://sourceforge.net/projects/pserv
Version: 3.0 beta 2
Bug: directory traversal bug
Author: Donato Ferrante
e-mail: fdonato (at) autistici (dot) org [email concealed]
web: www.autistici.org/fdonato
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
1. Description
2. The bug
3. The code
4. The patch
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
----------------
1. Description:
----------------
Vendor's Description:
"The aim of pServ (pico Server) is to create a portable, small
webserver.
Coded in portable C with Unix being the main reference platform, but
porting is encouraged. Portability and small footprint should enable
the use of pServ on a workstation as well as."
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
------------
2. The bug:
------------
The program, by default, has an anti-directory traversal check, but
this check can be easily bypassed using the double slash ("//") into
the http requests.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-------------
3. The code:
-------------
To test the pserv's vulnerability simply send to the webserver an http
request string, like that:
"GET //../ HTTP/1.0\r\n\r\n"
or generally:
GET //../MY_PATH HTTP/1.0\r\n\r\n
GET /SOME_DIRECTORY//..//../ HTTP/1.0\r\n\r\n
so the webserver will allow you to go out of the documentsPath
assigned to the webserver, and navigate through the system.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
--------------
4. The patch:
--------------
To fix the bug simply go on the pserv's official website,
http://sourceforge.net/projects/pserv, and download the latest version
of pserv (see also in CVS).
Or, if you want, you can use my following little patch, that should fix
the bug for the version 3.0b2 of Pserv:
--- main.c 2003-09-22 10:39:24.000000000 +0200
+++ patch.c 2003-12-19 12:40:47.000000000 +0100
@@ -455,6 +455,11 @@
dirName[1] = req.documentAddress[2];
dirName[2] = req.documentAddress[3];
dirName[3] ='\0';
+ if (dirName[0] == '/')
+ {
+ sayError(sock, FORBIDDEN, req.documentAddress, req);
+ return -1;
+ }
if (!strcmp(dirName, "../"))
{
sayError(sock, FORBIDDEN, req.documentAddress, req);
@@ -462,6 +467,15 @@
}
}
j = 0;
+ for(i = 1; i < sL; i++) {
+ if(req.documentAddress[i] == '/')
+ if(req.documentAddress[i+1] == '/')
+ {
+ sayError(sock, FORBIDDEN, req.documentAddress, req);
+ return -1;
+ }
+
+ }
for (i = 1; i < sL; i++) {
if (req.documentAddress[i] == '/')
{
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[ reply ]