"GWeb is a project to develop an HTTP server using Java, making it
small and portable. It will run on any system running the Java
Runtime Environment."
The program doesn't check for malicious patterns like "/../", so an
attacker is able to see and download all the files on the remote
system simply using a browser.
Donato Ferrante
Application: GWeb HTTP Server
http://freshmeat.net/projects/gweb/
Version: 0.6
Bug: directory traversal bug
Author: Donato Ferrante
e-mail: fdonato (at) autistici (dot) org [email concealed]
web: www.autistici.org/fdonato
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
1. Description
2. The bug
3. The code
4. The Fix
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
----------------
1. Description:
----------------
Vendor's Description:
"GWeb is a project to develop an HTTP server using Java, making it
small and portable. It will run on any system running the Java
Runtime Environment."
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
------------
2. The bug:
------------
The program doesn't check for malicious patterns like "/../", so an
attacker is able to see and download all the files on the remote
system simply using a browser.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-------------
3. The code:
-------------
To test the vulnerability:
http://[host]/../../../../../../windows/system.ini
or:
http://[host]/../someFile
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
------------
4. The Fix:
------------
No fix.
The vendor has not answered to my signalations.
If you want, you can use my following little patch, that should fix
the bug for this version of GWeb HTTP Server:
...
..
.
(line: 136) String dir="www"+System.getProperty("file.separator");
/* start of patch */
int f_len = f.length();
boolean check = false;
for(int bi = 0; bi < f.length()-2 && check == false; bi++){
if(
(f.charAt(bi) == '\"') || (f.charAt(bi)=='/') &&
(f.charAt(bi+1)=='.') && (f.charAt(bi+2) == '.')
){
f_len = 0;
check = true;
}
else if(
(f.charAt(bi)=='.') &&
(f.charAt(bi+1) == '.')
){
f_len = 0;
check = true;
}
}
if(f_len <= 2) // before "if(f.length()==0)"
/* end of patch */
{
file=dir+"index.html";
}
.
..
...
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[ reply ]