[27204] in bugtraq
Re: IIL Advisory: Reverse traversal vulnerability in Monkey (0.1.4) HTTP server
daemon@ATHENA.MIT.EDU (Daniel R. Ome)
Fri Sep 27 11:57:57 2002
Date: Thu, 26 Sep 2002 15:42:41 -0300
From: "Daniel R. Ome" <keziah@uole.com>
To: bugtraq@securityfocus.com
Message-ID: <20020926184241.GA2325@house>
Reply-To: Daniel Ome <keziah@uole.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20020925091045.29313.qmail@mail.securityfocus.com>
En Wed, Sep 25, 2002 at 09:10:45AM -0000,
DownBload escribió sobre IIL Advisory: Reverse traversal vulnerability in Monkey (0.1.4) HTTP server:
>
>
>
> [ Illegal Instruction Labs Advisory ]
> [-------------------------------------------------------------------------]
> Advisory name: Reverse traversal vulnerability in Monkey (0.1.4) HTTP
> server
> Advisory number: 12
> Application: Monkey (0.1.4) HTTP server
> Application author: Eduardo Silva (EdsipeR)
> Author e-mail: edsiper@linux-chile.org
> Monkey Project: http://monkeyd.sourceforge.net
> Date: 06.09.2002
> Impact: Attacker can read files out of SERVER_ROOT directory
>
> ...
> ======[ Problem
> Monkey doesn't check HTTP request for ../ string, and because of that,
> attacker can view any file out of SERVER_ROOT directory which Monkey can
> read (if Monkey is running under root account, attacker can read any file
> on that machine).
> There is still one thing which will make attack a little more "complicate":
>
> ...
>
> Translated to (poor:) english:
> If our request is / or second char of our request is . , than path will be
> set to SERVER_ROOT, and in that case, we can't go out of SERVER_ROOT
> directory.
>
> Previous "if" will prevent simple reverse traversal attack like this one:
> ---cut here---
> GET /../../../../../../../../../etc/passwd HTTP/1.0
> ---cut here---
>
> But can't prevent this reverse traversal attack:
> ---cut here---
> GET //../../../../../../../../../etc/passwd HTTP/1.0
> ---cut here---
>
Hi:
This bug was reported in December 2001 and corrected in following
versions. Anyway recently was released Monkey 0.5.0.
Nos vemos
Daniel
--
Daniel R. Ome | Adán comió la manzana, y todavía
Jujuy - R.A. | nos duelen las muelas.
Linux User 165078 | Proverbio húngaro.
