[NEWS] TCLHttpd Contains Two Vulnerabilities (Directory Browsing, XSS)
From: SecuriTeam (support_at_securiteam.com)
To: firstname.lastname@example.org Date: 1 Oct 2003 11:49:29 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
TCLHttpd Contains Two Vulnerabilities (Directory Browsing, XSS)
<http://www.tcl.tk/software/tclhttpd> TCLHttpd is "used both as a
general-purpose Web server, and as a framework for building server
applications. It implements Tcl (http://www.tcl.tk), including the Tcl
Resource Center and Scriptics' electronic commerce facilities. It is also
built into several commercial applications such as license servers and
mail spam filters. Instructions for setting up the TclHttpd on your
platform are given towards the end of the chapter, on page see the
TclHttpd Distribution. It works on UNIX, Windows, and Macintosh. You can
have the server up and running quickly".
The product has been found to contain two security vulnerabilities that
would allow a remote attacker to view the directory and file contents of
directories residing on the server, and to cause the product to return
arbitrary content as if it were its own.
* TCLHttpd version 3.4.2
Multiple flaws in TCLHttpd server which open door for an attacker to
browse any directories on the remote host, and to inject malicious
server context (Cross Site Scripting).
Arbitrary Directory Browsing
When a user requests a directory on TCLHttpd server, httpdthread.tcl will
start to look for various default index file names in that directory, if
none can be found then it will pass the operation to dirlist.tcl script to
do the "fancy" directory listing which provides users the ability to sort
files by modify date, name, size or file's pattern. Dirlist.tcl script
does filter inputs from the users in order to prevent directory traversal
but it can be easily bypassed if an absolute path was entered. Directory
listing is enabled by default.
Requesting http://abc.com/images/?pattern=/*&sort=name will return you a
list of directory under /
Cross Site Scripting (XSS)
TCLHttpd web server comes with various modules in order to increase the
flexibility of the server, and /debug module is enable by default which
allows you to download logging information, debug the Tcl part of the
application without restarting the hosting application. Many modules are
suffered from the multiple Cross Site Scripting (XSS) vulnerabilities that
potentially enable a malicious user to "inject" code into a user's session
under TCLHttpd server context. Phuong is going to use the /debug module as