Bugtraq mailing list archives
directory traversal in xweb 1.0
From: "Donato Ferrante" <fdonato () autistici org>
Date: Mon, 22 Mar 2004 12:51:48 -0000
Donato Ferrante
Application: xweb
http://in.geocities.com/shamit_bagchi
Version: 1.0
Bug: directory traversal bug
Author: Donato Ferrante
e-mail: fdonato () autistici org
web: www.autistici.org/fdonato
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
1. Description
2. The bug
3. The code
4. The fix
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
----------------
1. Description:
----------------
xweb is a free HTTP server, for Linux based systems.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
------------
2. The bug:
------------
The program doesn't check for malicious patterns like "/../", so an
attacker is able to see and download all the files on the remote
system simply using a browser.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-------------
3. The code:
-------------
To test the vulnerability:
http://[host]/../../../../etc/passwd
or:
http://[host]/../someFile
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
------------
4. The fix:
------------
Vendor was contacted.
Bug will be probably fixed in the next version of xweb.
If you want, you can use my following little patch, that should fix
the bug for this version of xweb:
.
..
...
(line: 233 of server.c) pstr[i]='\0';
/* start of patch */
int d = 0,
found = 1;
for( ; d < strlen(secondstr)-1 && found == 1; d++ ) {
if( (secondstr[d] == '.') && (secondstr[d+1] == '.') )
found = 0;
}
if(found == 0)
strcpy(secondstr, "/");
/* end of patch */
...
..
.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Current thread:
- directory traversal in xweb 1.0 Donato Ferrante (Mar 22)