| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20031224173121.00001336.fdonato@autistici.org>
Date: Wed, 24 Dec 2003 17:31:21 +0100
From: Donato Ferrante <fdonato@...istici.org>
To: bugtraq@...urityfocus.com
Subject: directory traversal bug in Pserv 3.0b2
Donato Ferrante
Application: PSERV - the small web server
http://sourceforge.net/projects/pserv
Version: 3.0 beta 2
Bug: directory traversal bug
Author: Donato Ferrante
e-mail: fdonato@...istici.org
web: www.autistici.org/fdonato
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
1. Description
2. The bug
3. The code
4. The patch
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
----------------
1. Description:
----------------
Vendor's Description:
"The aim of pServ (pico Server) is to create a portable, small
webserver.
Coded in portable C with Unix being the main reference platform, but
porting is encouraged. Portability and small footprint should enable
the use of pServ on a workstation as well as."
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
------------
2. The bug:
------------
The program, by default, has an anti-directory traversal check, but
this check can be easily bypassed using the double slash ("//") into
the http requests.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-------------
3. The code:
-------------
To test the pserv's vulnerability simply send to the webserver an http
request string, like that:
"GET //../ HTTP/1.0\r\n\r\n"
or generally:
GET //../MY_PATH HTTP/1.0\r\n\r\n
GET /SOME_DIRECTORY//..//../ HTTP/1.0\r\n\r\n
so the webserver will allow you to go out of the documentsPath
assigned to the webserver, and navigate through the system.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
--------------
4. The patch:
--------------
To fix the bug simply go on the pserv's official website,
http://sourceforge.net/projects/pserv, and download the latest version
of pserv (see also in CVS).
Or, if you want, you can use my following little patch, that should fix
the bug for the version 3.0b2 of Pserv:
--- main.c 2003-09-22 10:39:24.000000000 +0200
+++ patch.c 2003-12-19 12:40:47.000000000 +0100
@@ -455,6 +455,11 @@
dirName[1] = req.documentAddress[2];
dirName[2] = req.documentAddress[3];
dirName[3] ='\0';
+ if (dirName[0] == '/')
+ {
+ sayError(sock, FORBIDDEN, req.documentAddress, req);
+ return -1;
+ }
if (!strcmp(dirName, "../"))
{
sayError(sock, FORBIDDEN, req.documentAddress, req);
@@ -462,6 +467,15 @@
}
}
j = 0;
+ for(i = 1; i < sL; i++) {
+ if(req.documentAddress[i] == '/')
+ if(req.documentAddress[i+1] == '/')
+ {
+ sayError(sock, FORBIDDEN, req.documentAddress, req);
+ return -1;
+ }
+
+ }
for (i = 1; i < sL; i++) {
if (req.documentAddress[i] == '/')
{
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Powered by blists - more mailing lists