[Full-Disclosure] directory traversal in RaidenHTTPD 1.1.27

From: Donato Ferrante (fdonato_at_autistici.org)
Date: 02/05/05

  • Next message: Charles Stevenson: "[Full-Disclosure] Operator Shell (osh) BSS-based Buffer Overflow"
    Date: Sat, 5 Feb 2005 13:18:23 -0000
    To: <bugtraq@securityfocus.com>, <vuln@secunia.com>, <full-disclosure@lists.netsys.com>, <bugs@securitytracker.com>, <news@securiteam.com>
    
    

                               Donato Ferrante

    Application: RaidenHTTPD
                  http://www.raidenhttpd.com/

    Version: 1.1.27

    Bug: directory traversal

    Date: 05-Feb-2005

    Author: Donato Ferrante
                  e-mail: fdonato@autistici.org
                  web: www.autistici.org/fdonato

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    1. Description
    2. The bug
    3. The code
    4. The fix

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    ----------------
    1. Description:
    ----------------

    Vendor's Description:

    "RaidenHTTPD is a full featured web server software for Windows 98/Me/
    2000/XP/2003 platforms."

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    ------------
    2. The bug:
    ------------

    The program by default has some checks to avoid malicious patterns
    like "/../" into http requests, but the program doesn't well manage
    the initial "/" into requests. In fact if you send a request like:

    > GET /somefile HTTP/1.1

    the webserver will return the requested file if available in the
    DocumentRoot directory.

    But if you send a request like:

    > GET somefile HTTP/1.1

    the webserver will return the requested file if available in the
    disk partition where the httpd is installed.

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    -------------
    3. The code:
    -------------

    To test the vulnerability, send a raw http request to the server like:

    GET windows/system.ini HTTP/1.1
    Host: localhost

    this will display Windows' system.ini, if the http server is installed
    on the same partition of Windows.

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    ------------
    4. The fix:
    ------------

    Vendor was contacted.
    Bug fixed in the version 1.1.31.

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Charles Stevenson: "[Full-Disclosure] Operator Shell (osh) BSS-based Buffer Overflow"

    Relevant Pages