[19045] in bugtraq
Re: Vulnerability in AOLserver
daemon@ATHENA.MIT.EDU (Michael A. Cleverly)
Tue Feb 6 16:09:31 2001
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.30.0102061236080.22022-100000@gibraltar.deseretbook.net>
Date: Tue, 6 Feb 2001 12:43:21 -0700
Reply-To: "Michael A. Cleverly" <michael@CLEVERLY.COM>
From: "Michael A. Cleverly" <michael@CLEVERLY.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200102060730.XAA00736@user7.hushmail.com>
On Tue, 6 Feb 2001 joetesta@HUSHMAIL.COM wrote:
> Vulnerability in AOLserver
>
> Overview
>
> AOLserver v3.2 is a web server available from http://www.aolserver.com.
> A vulnerability exists which allows a remote user user to break out of the
> web root using relative paths (ie: '...').
>
> Details
>
> AOLServer checks the requested virtual path for any double dots ('..'),
> and returns a 'Not Found' error page if any are present. However, it
> does not check for triple dots ('...'). Here is an example URL:
>
> http://localhost:8000/.../[file outside web root]
>
> Note that this vulnerability has only been tested on the latest stable
> release (v3.2) for the Win32 platform.
>
> Solution
>
> No quick fix is possible.
>
> Vendor Status
>
> America Online, Inc. was contacted via http://www.aolserver.com/feedback/
> on Tuesday, January 30, 2001. No reply was received.
Here's a possible "quick fix". It took me five minutes, but that was just
because I had to download AOLserver for Windoze and install it. Simply
copy the following Tcl code into a .tcl file in either the servers private
or public Tcl library (c:\program files\aolserver\modules\tcl in the
default Windows installation) and restart AOLserver.
#### cut here ####
ns_register_filter preauth GET /* windows_triple_dot_check
ns_register_filter preauth POST /* windows_triple_dot_check
ns_register_filter preauth HEAD /* windows_triple_dot_check
proc windows_triple_dot_check {args} {
if {[string match */...* [ns_conn url]]} {
ns_returnforbidden
return filter_return
} else {
return filter_ok
}
}
#### cut here ####
Regards,
Michael A. Cleverly
michael@cleverly.com
