[34205] in bugtraq
directory traversal in xweb 1.0
daemon@ATHENA.MIT.EDU (Donato Ferrante)
Mon Mar 22 15:15:41 2004
Date: Mon, 22 Mar 2004 12:51:48 -0000
To: <bugtraq@securityfocus.com>
From: "Donato Ferrante" <fdonato@autistici.org>
Message-Id: <20040322125148.6BC0423E41@chernobyl.investici.org>
Donato Ferrante
Application: xweb
http://in.geocities.com/shamit_bagchi
Version: 1.0
Bug: directory traversal bug
Author: Donato Ferrante
e-mail: fdonato@autistici.org
web: www.autistici.org/fdonato
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
1. Description
2. The bug
3. The code
4. The fix
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
----------------
1. Description:
----------------
xweb is a free HTTP server, for Linux based systems.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
------------
2. The bug:
------------
The program doesn't check for malicious patterns like "/../", so an
attacker is able to see and download all the files on the remote
system simply using a browser.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-------------
3. The code:
-------------
To test the vulnerability:
http://[host]/../../../../etc/passwd
or:
http://[host]/../someFile
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
------------
4. The fix:
------------
Vendor was contacted.
Bug will be probably fixed in the next version of xweb.
If you want, you can use my following little patch, that should fix
the bug for this version of xweb:
.
..
...
(line: 233 of server.c) pstr[i]='\0';
/* start of patch */
int d = 0,
found = 1;
for( ; d < strlen(secondstr)-1 && found == 1; d++ ) {
if( (secondstr[d] == '.') && (secondstr[d+1] == '.') )
found = 0;
}
if(found == 0)
strcpy(secondstr, "/");
/* end of patch */
...
..
.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
