lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 8 Mar 2004 12:40:08 -0000
From: "Donato Ferrante" <fdonato@...istici.org>
To: <bugtraq@...urityfocus.com>
Subject: directory traversal in PWebServer 0.3.3



                           Donato Ferrante


Application:  PWebServer
              http://sourceforge.net/projects/pwebserver/

Version:      0.3.3

Bug:          directory traversal bug

Author:       Donato Ferrante
              e-mail: fdonato@...istici.org
              web:    www.autistici.org/fdonato


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

1. Description
2. The bug
3. The code
4. The fix



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

----------------
1. Description:
----------------

Vendor's Description:

"A simple Java multi-threaded Web Server that supports HTTP/1.0 
protocol."


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
2. The bug:
------------

The program doesn't check for malicious patterns like "/../", so an
attacker is able to see and download all the files on the remote
system simply using a browser.



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-------------
3. The code:
-------------

To test the vulnerability: 

http://[host]:6789/../someFile

or:

http://[host]:6789/../../../../etc/passwd



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
4. The fix:
------------

Bug fixed in the version 0.3.4.

If you want, you can use my following little patch, that should fix
the bug for this version of PWebServer:

..
.
.

( line: 99 ) 
fileName = tokenizedLine.nextToken(); // get the relative file name

/* start of patch */


boolean check = false;
    for(int t = 0; t < fileName.length()-1 && check == false; t++){
          if(fileName.charAt(t) == '.' && fileName.charAt(t+1) == '.')
             check = true;
    }
    if(check == true)
       fileName = "";


/* end of patch */

/* empty filename */
if(fileName.equals("") | fileName.equals("/"))
{

.
.
..



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ