Re: TA-2003-06 Directory Transversal Vulnerability in iWeb Server

["Steven M. Christey" <coley () mitre org>]

There are so many variants to directory traversal vulnerabilities,
especially in web servers and other software where encoding and
canonicalization is such a factor, that I have seen a number of
confusing cases such as this.

It definitely helps when the researcher who discovers a new variant
specifically references the old variant and says how the underlying
problem is different.  This doesn't seem to happen too frequently,
though, and distinguishing between variants gets much more difficult
when it is not known if the vendor has fixed the original variant.

In this case, it looks like the programmer introduced what I call a
"validate-before-canonicalize" error, for lack of a better term: the
software may well strip ".."  sequences from the input (the original
bug), but the programmer does this cleansing *before* the operation
that does the URL decoding (kind of like a new bug - performing
operations in the wrong order).

As programmers have slowly gotten better about avoiding the obvious
directory traversal issues, these "validate-before-canonicalize"
errors seem to be cropping up more frequently.


- Steve