Bugtraq mailing list archives
AnalogX "SimpleServer:WWW" dot dot bug
From: labs () FOUNDSTONE COM
Date: Tue, 25 Jul 2000 20:45:28 -0700
Foundstone, Inc.
http://www.foundstone.com
"Securing the Dot Com World"
Security Advisory
AnalogX "SimpleServer:WWW" dot dot bug
----------------------------------------------------------------------
FS Advisory ID: FS-072600-8-ANA
Release Date: July 26, 2000
Product: SimpleServer:WWW
Vendor: AnalogX (http://www.analogx.com)
Vendor Advisory: New patched version 1.07 available
Type: Ability to retrieve any known file from
hosting system
Severity: High
Author: Robin Keir(robin.keir () foundstone com)
Stuart McClure (stuart.mcclure () foundstone com)
Foundstone, Inc. (http://www.foundstone.com)
Operating Systems: All Windows operating systems supported by
SimpleServer
Vulnerable versions: SimpleServer:WWW 1.06 (and possibly previous
versions)
Foundstone Advisory: http://www.foundstone.com/advisories.htm
----------------------------------------------------------------------
Description
AnalogX SimpleServer:WWW is a simple but effective web server
designed for the home or small business user. Its main claim
is ease of use and setup.
SimpleServer is vulnerable to a "relative directory path"
attack that allows a remote user to retrieve any known file
from the file system of the server on which it is hosted.
Details
In normal use SimpleServer protects against accessing files
above the directory in which the server is installed. It has
been proven to correctly deny access when using URLs of the
following format:
http://www.victim.com/../file.dat
However, by substituting the dot characters with their
equivalent hexadecimal URL encoded format of %2E this
restriction is removed, giving the attacker full read access
to any file on the remote system.
Proof of concept
A HTTP request of the form
http://www.victim.com/%2E%2E/file.dat
will succeed in retrieving the file "file.dat" from one
directory level above the server root directory if it exists.
Using similar URL requests it has been shown that any known
file on the system can be retrieved. For example, assuming
the default installation location of SimpleServer a request
of the form:
http://www.victim.com/%2E%2E/%2E%2E/windows/user.dat
would retrieve the remote users registry file from a Windows
95/98 machine and this would highly likely contain confidential
information.
Another example here shows that it is possible to retrieve the
log files from the web server directory itself:
http://www.victim.com/%2E%2E/%2E%2E/Program%20Files/AnalogX/
SimpleServer/www/server.log
Solution
Download SimpleServer:www version 1.07 from
http://www.analogx.com/contents/download/network/sswww.htm
Prelimiary tests of the fix by Foundstone have confirmed the
problem is corrected.
Credits
We would like to thank AnalogX for their prompt reaction to
this problem and their co-operation in heightening security
awareness in the security community.
Disclaimer
THE INFORMATION CONTAINED IN THIS ADVISORY IS THE COPYRIGHT
(C) 2000 OF FOUNDSTONE, INC. AND BELIEVED TO BE ACCURATE AT
THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS
GIVEN, EXPRESS OR IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS.
NEITHER THE AUTHOR NOR THE PUBLISHER ACCEPTS ANY LIABILITY
WHATSOEVER FOR ANY DIRECT, INDIRECT OR CONQUENTIAL LOSS OR
DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE PLACED
ON, THIS INFORMATION FOR ANY PURPOSE. THIS ADVISORY MAY BE
REDISTRIBUTED PROVIDED THAT NO FEE IS ASSIGNED AND THAT THE
ADVISORY IS NOT MODIFIED IN ANY WAY.
Current thread:
- AnalogX "SimpleServer:WWW" dot dot bug labs (Jul 26)