[16146] in bugtraq
Re: Brown Orifice HTTPD Directory Traversal Vulnerability (was
daemon@ATHENA.MIT.EDU (Michael H. Warfield)
Wed Aug 9 14:00:25 2000
Mail-Followup-To: "TAKAGI, Hiromitsu" <takagi@ETL.GO.JP>,
BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-ID: <20000808121505.C18696@alcove.wittsend.com>
Date: Tue, 8 Aug 2000 12:15:05 -0400
Reply-To: "Michael H. Warfield" <mhw@WITTSEND.COM>
From: "Michael H. Warfield" <mhw@WITTSEND.COM>
X-To: "TAKAGI, Hiromitsu" <takagi@ETL.GO.JP>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <39900E4D185.7F0DTAKAGI@java-house.etl.go.jp>; from
takagi@ETL.GO.JP on Tue, Aug 08, 2000 at 10:42:37PM +0900
On Tue, Aug 08, 2000 at 10:42:37PM +0900, TAKAGI, Hiromitsu wrote:
[...]
> Problem Description
> -------------------
> Brumleve's demonstration page politely asks users to specify a
> directory on their computer for public access. However, by specifying
> "\.." in HTTP requests to the server, an attacker can navigate the
> server's file system and view/download any files. For example,
> http://your-ip-address:8080/C:/temp/\../
> or
> http://your-ip-address:8080/C:/temp/%5C../ (for Internet Explorer
> as a client)
> will display the contents of the root directory of C: drive of the
> server's computer.
> Affected versions and platforms
> -------------------------------
> This bug has been verified to be present on the BOHTTPD 0.1 in
> Netscape Navigator 4.72 for Windows.
This does not appear to be effective against Netscape Communicator
4.74 on Linux. I get permission denied for any plain ".." in the path
anywhere and anything with "\.." or "%5c.." gets a Java runtime error
complaining that the directory "\.." was not found.
> Workaround
> ----------
> Do not use BOHTTPD. :-)
:-)
Mike
--
Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com
(The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
