SUMMARY
=======

A directory traversal vulnerability exists in the Ars Digita Community
System. A remote attacker could exploit this vulnerability to read
arbitrary files with the permissions of the web server.

AFFECTED SOFTWARE
=================

* Ars Digita Community System (ACS) 3.4.9, 3.4.10, and probably earlier
versions

* Ars Digita Community Education Solution (ACES) 1.1

UNAFFECTED
==========

* OpenACS all versions

* Ars Digita Community System (ACS) 4.2

* ACS-Java 3.4, 4.0, 4.7.4

IMPACT
======

A remote attacker could exploit this vulnerability to read sensitive
files on the affected system. Possible targets could include files
containing passwords, private keys for SSL certificates, and web server
logs.

DETAILS
=======

RFC2396 permits the use of escaped characters in a URI string,
consisting of a percent sign followed by two hexadecimal digits
corresponding to the ASCII value of the character. For example, a space
would be encoded as %20.

The unencoding of these values is typically handled by the web server.
Affected versions of ACS perform their own decoding operation after
that done by the web server, so that URIs containing %25, the encoded
form of the percent character, are decoded twice.

Web servers traditionally also perform sanity checks on URLs to prevent
them from accessing files in the directory tree outside of the web
server's configured root directory. One of the most common restricted
sequences is "../", which refers to the parent directory of the current
working directory.

Because the second URI decoding that ACS performs occurs after the
sanity checks done by the web server, encoded forms of "../" are not
properly escaped, leading to the possibility of URIs that access files
outside of the web server's root directory.

SOLUTION
========

In the request-processor-procs.tcl file, replace the line

set url [ns_urldecode [ns_conn url]]

with

set url [ns_conn url]

EXPLOIT
=======

This example will retrieve the UNIX password file from a vulnerable
host with a web root fewer than 8 directories deep from the root
directory.

http://target.tld/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252
e/etc/passwd

ACKNOWLEDGMENTS
===============

Thanks to Eve Andersson for finding the source of the bug in the
application code and providing a fix.

Thanks to the OpenACS development team for helping confirm their
software is not vulnerable.

--
Elliot Kendall <ekendall (at) brandeis (dot) edu [email concealed]>
Network Security Engineer
Brandeis University
0?´ *?H?÷

 ?¥0?¡

10 +0 *?H?÷


 ?+0?ä0?M 
`?ó*`iæY2ü@qQw?I0
 *?H?÷


0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
061122190732Z
071122190732Z0G10UThawte Freemail Member1$0" *?H?÷


ekendall (at) brandeis (dot) edu0 [email concealed]?
"0
 *?H?÷



?
0?

?

ï^Û²ãZ
?iVJ7æ.ýË/?õ?Þ?©Ø~
?Ï\%a¹¢ð?:ސQ?p|¼Ýið%xü?Úí??¶â¿}á㐨?åJ1ÍeRc
t??{??Î=>Ñò¶gT.­ä!Ø<µ¥MßîÊé÷VIz!?¯\pÆÃÀÜý)?ëKLøÃgÉU?£êó
Q?4?X?3²÷éôH?Ôæ?JU?¥ã?#Ji?±ïló?ßw??Äï9¥??Çè%?ÑßR!ÃÙ??ã?t?
ô=´!ü?³U´n{??bü+#orÁT
àè?àù*Î?

£2000 U0ekendall (at) brandeis (dot) edu0 [email concealed]U

ÿ00
 *?H?÷


??qä¦\ªëcI5¾¶|¦ÑÝ.",?´£äw?Î^>@âÇ?ÐÐ??3Ð)-D°Ç?^?òïÓ?ï`N%¾?÷Zh!æ ½\_JI
¸V?J±kk~:6?y?Ôq½H?=,sµ'í5'?¢¶EpÅè²?0??0?¨ 


0
 *?H?÷


0Ñ10 UZA10UWestern Cape10U Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0) *?H?÷


personal-freemail (at) thawte (dot) com0 [email concealed]
030717000000Z
130716235959Z0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0?0
 *?H?÷



0?Ä¦<UsUûN¹Ê?ZhÀupßéÿ£ì½Íõ[òv½:aò¿QÎ
ÔåP
0×cZ,?p?ÝÉð+?Zª?qV˯<çñ?6$*Ï+Õó?w=¾+þ»>¿@?dק¦»?eÑÅ*T?H§¶Ñ<
a@dr`·û

£?0?0U

ÿ0

ÿ
0CU<0:08 6 4?2http://crl.tha
wte.com/ThawtePersonalFreemailCA.crl0U
0)U"0 ¤010UPrivateLabel2-1380
 *?H?÷


H?ÑP?ê.Ì
£f¬g¯¬¾Â¡C??L!¸ø6ª-?6/ÀôP ?p<ý­áabÃÙ:~?±?Å?t?%P?bÇÛ'qW%Ý©?9?? Oe_?Ú÷÷?ÖÆN®öê4å[5MwãV!x?Ü!5Þ$±ÓFÿ]_eO1?Q0?M

0v0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA`?ó*`iæY2ü@qQw?I0 + ±0 *?H?÷

1 *?H?÷


0 *?H?÷

1
070118202053Z0# *?H?÷

1¾VÏU>7¸k?0}?³4nÙܲ0R *?H?÷

1E0C0
*?H?÷
0*?H?÷
?0
*?H?÷

@0+0
*?H?÷

(0
 *?H?÷



?
½?° úÿ?ã¶1F?´ï?}»¬G¥­¤:ïdAK«<?Ðý¿ðO?Ýøóë?ùÔn?ö?\ΰàáT?%åìئ?
3??¯úîýÇHýnûÔE?äýÌ°#FÜÚvÆ_BG¦?ccÅ:q?°?Û????n8Eåï
9
ò ¹*lØ8?s£3»JÀVðö].?Ì)Ïa³JG?»C&?¥??g7û;òÙR­¼T?.n ,HÌ??$c
Ùzök¥®Éþ-ì?ð+Ãع%¼MÖ22$Jpå??-²09?>(=>PBÙ,fÏ㲩z¤àö?xþýÐ:?@

[ reply ]