[1] directory traversal bug: the program doesn't check for malicious
patterns like "/../", so an attacker is able to navigate through
the system simply using a browser.
[2] cross site scripting bug: the user input strings are not filtered
and they will appear in the returned page.
case -1: /* nothing found */
{
Misc.putSysMessage(0,"Requested file was NOT found.");
output.outputError(404, " ");
//before "output.outputError(404,httpURI);"
break;
}
Application: Pegasi Web Server (PWS)
http://pws.sourceforge.net
Version: 0.2.2
Bugs: Multiple Vulnerabilities
Author: Donato Ferrante
e-mail: fdonato (at) autistici (dot) org [email concealed]
web: www.autistici.org/fdonato
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
1. Description
2. The bugs
3. The code
4. The fix
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
----------------
1. Description:
----------------
Vendor's Description:
"Pegasi Web Server (PWS) is a multithreading Java Web server. It is
written by students at the PegasiLUG as a project for Networking."
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-------------
2. The bugs:
-------------
[1] directory traversal bug: the program doesn't check for malicious
patterns like "/../", so an attacker is able to navigate through
the system simply using a browser.
[2] cross site scripting bug: the user input strings are not filtered
and they will appear in the returned page.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-------------
3. The code:
-------------
To test the vulnerabilities:
[1]
http://[host]:8080/../../../../etc/passwd
or:
http://[host]:8080/../
[2]
http://[host]:8080/<script>alert("Test")</script>
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
------------
4. The fix:
------------
No fix.
The email addresses provided on the official website seem don't work.
If you want, you can use my following little patch, that should fix
the bugs for this version of Pegasi Web Server:
...
..
.
( line: 30 of FileFinder.java ) FileFinder(String httpURIPath)
{
/* start of patch for [1] */
boolean done = false;
for(int z = 0; z < httpURIPath.length()-1; z++){
if( httpURIPath.charAt(z) == '.' && httpURIPath.charAt(z+1) == '.'){
this.status = -1;
done = true;
}
}
if( done == true ) return;
/* end of patch for [1] */
.
..
...
- - - - -
...
..
.
( line: 233 of Connection.java )
/* start of patch for [2] */
case -1: /* nothing found */
{
Misc.putSysMessage(0,"Requested file was NOT found.");
output.outputError(404, " ");
//before "output.outputError(404,httpURI);"
break;
}
/* end of patch for [2] */
.
..
...
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[ reply ]