[18965] in bugtraq
GoAhead Web Server Directory Traversal Vulnerability
daemon@ATHENA.MIT.EDU (Sergey Nenashev)
Fri Feb 2 15:41:49 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <1978184072.20010202153012@ntvi.ru>
Date: Fri, 2 Feb 2001 15:30:12 +0300
Reply-To: Sergey Nenashev <alf@ntvi.ru>
From: Sergey Nenashev <alf@NTVI.RU>
To: BUGTRAQ@SECURITYFOCUS.COM
Hello!
We have found a bug in the GoAhead WebServer, v.2.0 and v.2.1.
Attacker can get any file from the drive, where web-server was installed.
try follow request
http://www.somehost.com/..\..\..\..\..\..\autoexec.bat
This vulnerability may allow an attacker to execute code with the
privileges of the GoAhead ( Administrator? or root? )
http://www.somehost.com/cgi-bin/..\..\..\..\..\..\winnt\system32\cmd.exe?/c+
dir+c:\
Patch for this vulnerability:
in file: url.c
in function websUrlParse(...)
int websUrlParse(char_t *url, char_t **pbuf, char_t **phost, char_t **ppath,
char_t **pport, char_t **pquery, char_t **pproto, char_t **ptag,
char_t **pext)
{
char_t *tok, *cp, *host, *path, *port, *proto, *tag, *query, *ext, *slash;
char_t *last_delim, *hostbuf, *portbuf, *buf;
int c, len, ulen;
a_assert(url);
a_assert(pbuf);
ulen = gstrlen(url);
/*
* Deny directory traversal vulnerability
*/
while((slash = strchr(url, '\\')) != NULL) {
*slash = '/';
}
/*
* We allocate enough to store separate hostname and port number fields.
* As there are 3 strings in the one buffer, we need room for 3 null chars.
* We allocate MAX_PORT_LEN char_t's for the port number.
*/
--
Sergey Nenashev <alf@ntvi.ru>
Yevgeny V.Yourkhov <a007@ntvi.ru>
Security Administrator Team
