lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 24 Jan 2004 14:52:09 +0100
From: "Donato Ferrante" <fdonato@...istici.org>
To: <bugtraq@...urityfocus.com>
Subject: Tiny Server 1.1 (1.0.5) Multiple Vulnerabilities


                           Donato Ferrante


Application:  Tiny Server 
              http://sourceforge.net/projects/tinyserver

Version:      1.1 (1.0.5)

Bugs:         Multiple Vulnerabilities

Author:       Donato Ferrante
              e-mail: fdonato@...istici.org
              web:    www.autistici.org/fdonato


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

1. Description
2. The bugs
3. The code
4. The fix


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

----------------
1. Description:
----------------

Vendor's Description:

"This is a very basic http server. This server can accept multiple
requests at once. The server is only 56 kb. The server has been
configured to accept a maximum of 100 connections.
As of now Tiny Server supports only the GET request."



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-------------
2. The bugs:
-------------

[1] directory traversal bug: the program does't make a good check on
    the user input string ( /../ ) so an attacker is able to see and
    download all the files on the remote system simply using his
    browser.

[2] denial of service bug: the program have no checks on the input
    strings received, so an attacker is able to crash the server
    simply sending a crafted string.

[3] cross site scripting bug: the program doesn't make a full check
    on the strings sent by the client, in fact the input strings are
    not filtered and they will appear in the returned page.



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-------------
3. The code:
-------------

The following are some examples to test the vulnerabilities:


[1]

http://[host]/../../windows/system.ini



[2]

GET /index.htm
( without specify HTTP/1.1 )

or simply:

index.htm
( without specify GET and HTTP/1.1 )

or:

GET /aaaaaa[ 260 of a ]aaa HTTP/1.1
 


[3]

http://[host]/<script>alert("Test")</script>



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
4. The fix:
------------

No fix.
The vendor has not answered to my signalations.



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ