Bugtraq mailing list archives
Re: IIL Advisory: Reverse traversal vulnerability in Monkey (0.1.4) HTTP server
From: "Daniel R. Ome" <keziah () uole com>
Date: Thu, 26 Sep 2002 15:42:41 -0300
En Wed, Sep 25, 2002 at 09:10:45AM -0000, DownBload escribió sobre IIL Advisory: Reverse traversal vulnerability in Monkey (0.1.4) HTTP server:
[ Illegal Instruction Labs Advisory ] [-------------------------------------------------------------------------] Advisory name: Reverse traversal vulnerability in Monkey (0.1.4) HTTP server Advisory number: 12 Application: Monkey (0.1.4) HTTP server Application author: Eduardo Silva (EdsipeR) Author e-mail: edsiper () linux-chile org Monkey Project: http://monkeyd.sourceforge.net Date: 06.09.2002 Impact: Attacker can read files out of SERVER_ROOT directory ... ======[ Problem Monkey doesn't check HTTP request for ../ string, and because of that, attacker can view any file out of SERVER_ROOT directory which Monkey can read (if Monkey is running under root account, attacker can read any file on that machine). There is still one thing which will make attack a little more "complicate": ... Translated to (poor:) english: If our request is / or second char of our request is . , than path will be set to SERVER_ROOT, and in that case, we can't go out of SERVER_ROOT directory. Previous "if" will prevent simple reverse traversal attack like this one: ---cut here--- GET /../../../../../../../../../etc/passwd HTTP/1.0 ---cut here--- But can't prevent this reverse traversal attack: ---cut here--- GET //../../../../../../../../../etc/passwd HTTP/1.0 ---cut here---
Hi: This bug was reported in December 2001 and corrected in following versions. Anyway recently was released Monkey 0.5.0. Nos vemos Daniel -- Daniel R. Ome | Adán comió la manzana, y todavía Jujuy - R.A. | nos duelen las muelas. Linux User 165078 | Proverbio húngaro.
Current thread:
- IIL Advisory: Reverse traversal vulnerability in Monkey (0.1.4) HTTP server DownBload (Sep 25)
- Re: IIL Advisory: Reverse traversal vulnerability in Monkey (0.1.4) HTTP server Daniel R. Ome (Sep 27)