[16140] in bugtraq
Brown Orifice HTTPD Directory Traversal Vulnerability (was Re:
daemon@ATHENA.MIT.EDU (TAKAGI, Hiromitsu)
Tue Aug 8 13:47:16 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-Id: <39900E4D185.7F0DTAKAGI@java-house.etl.go.jp>
Date: Tue, 8 Aug 2000 22:42:37 +0900
Reply-To: "TAKAGI, Hiromitsu" <takagi@ETL.GO.JP>
From: "TAKAGI, Hiromitsu" <takagi@ETL.GO.JP>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000805020429.11774.qmail@securityfocus.com>
=====================================================
Brown Orifice HTTPD Directory Traversal Vulnerability
=====================================================
Background
----------
Brown Orifice HTTPD (BOHTTPD) <http://www.brumleve.com/BrownOrifice/>
is "a web server and file sharing tool" that runs as a Java Applet in
Netscape Navigator.(*1) It was written by Dan Brumleve and was
announced in BugTraq a few days ago.
Problem Description
-------------------
Brumleve's demonstration page politely asks users to specify a
directory on their computer for public access. However, by specifying
"\.." in HTTP requests to the server, an attacker can navigate the
server's file system and view/download any files. For example,
http://your-ip-address:8080/C:/temp/\../
or
http://your-ip-address:8080/C:/temp/%5C../ (for Internet Explorer
as a client)
will display the contents of the root directory of C: drive of the
server's computer.
Affected versions and platforms
-------------------------------
This bug has been verified to be present on the BOHTTPD 0.1 in
Netscape Navigator 4.72 for Windows.
Workaround
----------
Do not use BOHTTPD. :-)
(*1) This is also a security hole per se, as you know.
Regards,
--
Hiromitsu Takagi
Electrotechnical Laboratory
http://www.etl.go.jp/~takagi/
