BugTraq
Back to list
|
Post reply
directory traversal in xweb 1.0
Mar 22 2004 12:51PM
Donato Ferrante (fdonato autistici org)
Donato Ferrante
Application: xweb
http://in.geocities.com/shamit_bagchi
Version: 1.0
Bug: directory traversal bug
Author: Donato Ferrante
e-mail: fdonato (at) autistici (dot) org [email concealed]
web: www.autistici.org/fdonato
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
1. Description
2. The bug
3. The code
4. The fix
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
----------------
1. Description:
----------------
xweb is a free HTTP server, for Linux based systems.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
------------
2. The bug:
------------
The program doesn't check for malicious patterns like "/../", so an
attacker is able to see and download all the files on the remote
system simply using a browser.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-------------
3. The code:
-------------
To test the vulnerability:
http://[host]/../../../../etc/passwd
or:
http://[host]/../someFile
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
------------
4. The fix:
------------
Vendor was contacted.
Bug will be probably fixed in the next version of xweb.
If you want, you can use my following little patch, that should fix
the bug for this version of xweb:
.
..
...
(line: 233 of server.c) pstr[i]='\0';
/* start of patch */
int d = 0,
found = 1;
for( ; d < strlen(secondstr)-1 && found == 1; d++ ) {
if( (secondstr[d] == '.') && (secondstr[d+1] == '.') )
found = 0;
}
if(found == 0)
strcpy(secondstr, "/");
/* end of patch */
...
..
.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Donato Ferrante
Application: xweb
http://in.geocities.com/shamit_bagchi
Version: 1.0
Bug: directory traversal bug
Author: Donato Ferrante
e-mail: fdonato (at) autistici (dot) org [email concealed]
web: www.autistici.org/fdonato
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
1. Description
2. The bug
3. The code
4. The fix
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
----------------
1. Description:
----------------
xweb is a free HTTP server, for Linux based systems.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
------------
2. The bug:
------------
The program doesn't check for malicious patterns like "/../", so an
attacker is able to see and download all the files on the remote
system simply using a browser.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-------------
3. The code:
-------------
To test the vulnerability:
http://[host]/../../../../etc/passwd
or:
http://[host]/../someFile
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
------------
4. The fix:
------------
Vendor was contacted.
Bug will be probably fixed in the next version of xweb.
If you want, you can use my following little patch, that should fix
the bug for this version of xweb:
.
..
...
(line: 233 of server.c) pstr[i]='\0';
/* start of patch */
int d = 0,
found = 1;
for( ; d < strlen(secondstr)-1 && found == 1; d++ ) {
if( (secondstr[d] == '.') && (secondstr[d+1] == '.') )
found = 0;
}
if(found == 0)
strcpy(secondstr, "/");
/* end of patch */
...
..
.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[ reply ]