[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200309242039.h8OKd7t00522@medlicott.panasas.com>
Date: Wed, 24 Sep 2003 13:39:07 -0700
From: Brent Welch <welch@...asas.com>
To: Michael Schlenker <schlenk@...-oldenburg.de>
Cc: Phuong Nguyen <dphuong@...oo.com>, bugtraq@...urityfocus.com,
tclhttpd-users@...ts.sourceforge.net
Subject: Re: [Tclhttpd-users] Re: TCLHttpd Server - Multiple Vulnerabilities
Here is the patch for the dirlist.tcl bug
Please note also that with this bug you can see a
directory listing, but you cannot fetch any files that
you might be able to see. The server running at www.tcl.tk
has had this patch applied to it.
*** dirlist.tcl 4 Apr 2003 04:10:54 -0000 1.10
--- dirlist.tcl 24 Sep 2003 20:32:28 -0000
***************
*** 174,180 ****
set path [file split $dir]
# Filter pattern to avoid leaking path information
! regsub -all {\.\./} $pattern {} pattern
set list [glob -nocomplain -- [file join $dir $pattern]]
if {[llength $path] > 1} {
--- 174,181 ----
set path [file split $dir]
# Filter pattern to avoid leaking path information
! regsub -all {\.+/} $pattern {} pattern
! set pattern [string trimleft $pattern /]
set list [glob -nocomplain -- [file join $dir $pattern]]
if {[llength $path] > 1} {
>>>Michael Schlenker said:
> Phuong Nguyen wrote:
>
> >Released Date 09/23/2003
> >
> >TITLE
> >=====
> >TCLHttpd 3.4.2 - Multiple Vulnerabilities
> >
> >DESCRIPTION
> >===========
> >"TclHttpd is used both as a general-purpose Web
> >server, and as a framework for building server
> >applications. It implements Tcl (http://www.tcl.tk),
> >including the Tcl Resource Center and Scriptics'
> >electronic commerce facilities. It is also
> >built into several commercial applications such as
> >license servers and mail spam filters. Instructions
> >for setting up the TclHttpd on your platform are given
> >towards the end of the chapter, on page See The
> >TclHttpd Distribution. It works on Unix, Windows, and
> >Macintosh. You can have the server up and running
> >quickly."
> >
> >More information at
> >http://www.tcl.tk/software/tclhttpd
> >
> One should add the sourceforge Project:
> http://www.sourceforge.net/projects/tclhttpd
>
> >
> >PROBLEMS
> >========
> >Affected Version : TCLHttpd 3.4.2 (latest) and
> >probably older builds
> >Tested Platform : Linux(x86)
> >
> >Mutiple flaws in TCLHttpd server which open door for
> >an attacker to browse any directories on the remote
> >host, and to inject
> >
> >malicious javascript/vbscript content to the user's
> >browser under the TCLHttpd server context (Cross Site
> >Scripting).
> >
> >DETAILS
> >=======
> >[Vulnerability #1] Arbitrary Directory Browsing
> >
> >When a user requests a directory on TCLHttpd server,
> >httpdthread.tcl will start to look for various default
> >index file names in that directory, if none can be
> >found then it will pass the operation to dirlist.tcl
> >script to do the "fancy" directory listing which
> >provides users the ability to sort files by modify
> >date, name, size or file's pattern. Dirlist.tcl script
> >does filter inputs from the users in order to prevent
> >directory traversal but it can be easily bypassed if
> >an absolute path was entered. Directory listing is
> >enabled by default.
> >
> >For example: Requesting
> >http://abc.com/images/?pattern=/*&sort=name will
> >return you a list of directory under /
> >
> Confirmed. This is similar to:
> http://sourceforge.net/tracker/index.php?func=detail&aid=591103&group_id=128
84&atid=112884
>
> >[Vulnerability #2] Cross Site Scripting (XSS)
> >
> >TCLHttpd web server comes with various modules in
> >order to increase the flexibility of the server, and
> >/debug module is enable by default which allows you to
> >download logging information, debug the Tcl part of
> >the application without restarting the hosting
> >application.
> >
> >Many modules are suffered from the
> >multiple Cross Site Scripting (XSS) vulnerabilities
> >that potentially enable a malicious user to "inject"
> >code into a user's session under TCLHttpd server
> >context. I'm going to use the /debug module as an
> >example.
> >
> >http://www.abc.com/debug/echo?name=<script>alert('hello');</script>
> >http://www.abc.com/debug/dbg?host=<script>alert('hello');</script>
> >http://www.abc.com/debug/showproc?proc=<script>alert('hello');</script>
> >http://www.abc.com/debug/errorInfo?title=<script>alert('hello');</script>
> >
> >WORK AROUND
> >===========
> >You can eliminate the threats from these
> >vulnerabilities by editing your httpdthread.tcl and
> >comment out the directory listing option, also you
> >should disable the following modules to prevent Cross
> >Site Scripting: Status, Debug, Mail and Admin.
> >
> >
>
> Michael Schlenker
>
>
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> TclHttpd-users mailing list
> TclHttpd-users@...ts.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/tclhttpd-users
--
Brent Welch
Software Architect, Panasas Inc
Delivering the World's Most Scalable and Agile Storage Network
www.panasas.com
welch@...asas.com
Powered by blists - more mailing lists