[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040308124008.9D2D923FC8@chernobyl.investici.org>
Date: Mon, 8 Mar 2004 12:40:08 -0000
From: "Donato Ferrante" <fdonato@...istici.org>
To: <bugtraq@...urityfocus.com>
Subject: directory traversal in PWebServer 0.3.3
Donato Ferrante
Application: PWebServer
http://sourceforge.net/projects/pwebserver/
Version: 0.3.3
Bug: directory traversal bug
Author: Donato Ferrante
e-mail: fdonato@...istici.org
web: www.autistici.org/fdonato
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
1. Description
2. The bug
3. The code
4. The fix
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
----------------
1. Description:
----------------
Vendor's Description:
"A simple Java multi-threaded Web Server that supports HTTP/1.0
protocol."
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
------------
2. The bug:
------------
The program doesn't check for malicious patterns like "/../", so an
attacker is able to see and download all the files on the remote
system simply using a browser.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-------------
3. The code:
-------------
To test the vulnerability:
http://[host]:6789/../someFile
or:
http://[host]:6789/../../../../etc/passwd
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
------------
4. The fix:
------------
Bug fixed in the version 0.3.4.
If you want, you can use my following little patch, that should fix
the bug for this version of PWebServer:
..
.
.
( line: 99 )
fileName = tokenizedLine.nextToken(); // get the relative file name
/* start of patch */
boolean check = false;
for(int t = 0; t < fileName.length()-1 && check == false; t++){
if(fileName.charAt(t) == '.' && fileName.charAt(t+1) == '.')
check = true;
}
if(check == true)
fileName = "";
/* end of patch */
/* empty filename */
if(fileName.equals("") | fileName.equals("/"))
{
.
.
..
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Powered by blists - more mailing lists