Re: IIL Advisory: Reverse traversal vulnerability in Monkey (0.1.4) HTTP server
From: Daniel R. Ome (keziah@uole.com)Date: 09/26/02
- Previous message: Jean-loup Gailly: "remote SYSTEM compromise in WASD OpenVMS http server"
- In reply to: DownBload: "IIL Advisory: Reverse traversal vulnerability in Monkey (0.1.4) HTTP server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 26 Sep 2002 15:42:41 -0300 From: "Daniel R. Ome" <keziah@uole.com> To: bugtraq@securityfocus.com
En Wed, Sep 25, 2002 at 09:10:45AM -0000,
DownBload escribió sobre IIL Advisory: Reverse traversal vulnerability in Monkey (0.1.4) HTTP server:
>
>
>
> [ Illegal Instruction Labs Advisory ]
> [-------------------------------------------------------------------------]
> Advisory name: Reverse traversal vulnerability in Monkey (0.1.4) HTTP
> server
> Advisory number: 12
> Application: Monkey (0.1.4) HTTP server
> Application author: Eduardo Silva (EdsipeR)
> Author e-mail: edsiper@linux-chile.org
> Monkey Project: http://monkeyd.sourceforge.net
> Date: 06.09.2002
> Impact: Attacker can read files out of SERVER_ROOT directory
>
> ...
> ======[ Problem
> Monkey doesn't check HTTP request for ../ string, and because of that,
> attacker can view any file out of SERVER_ROOT directory which Monkey can
> read (if Monkey is running under root account, attacker can read any file
> on that machine).
> There is still one thing which will make attack a little more "complicate":
>
> ...
>
> Translated to (poor:) english:
> If our request is / or second char of our request is . , than path will be
> set to SERVER_ROOT, and in that case, we can't go out of SERVER_ROOT
> directory.
>
> Previous "if" will prevent simple reverse traversal attack like this one:
> ---cut here---
> GET /../../../../../../../../../etc/passwd HTTP/1.0
> ---cut here---
>
> But can't prevent this reverse traversal attack:
> ---cut here---
> GET //../../../../../../../../../etc/passwd HTTP/1.0
> ---cut here---
>
Hi:
This bug was reported in December 2001 and corrected in following
versions. Anyway recently was released Monkey 0.5.0.
Nos vemos
Daniel
--Daniel R. Ome | Adán comió la manzana, y todavía Jujuy - R.A. | nos duelen las muelas. Linux User 165078 | Proverbio húngaro.
- Previous message: Jean-loup Gailly: "remote SYSTEM compromise in WASD OpenVMS http server"
- In reply to: DownBload: "IIL Advisory: Reverse traversal vulnerability in Monkey (0.1.4) HTTP server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
