Re: IIL Advisory: Reverse traversal vulnerability in Monkey (0.1.4) HTTP server

From: Daniel R. Ome (keziah@uole.com)
Date: 09/26/02


Date: Thu, 26 Sep 2002 15:42:41 -0300
From: "Daniel R. Ome" <keziah@uole.com>
To: bugtraq@securityfocus.com

En Wed, Sep 25, 2002 at 09:10:45AM -0000,
DownBload escribió sobre IIL Advisory: Reverse traversal vulnerability in Monkey (0.1.4) HTTP server:

>
>
>
> [ Illegal Instruction Labs Advisory ]
> [-------------------------------------------------------------------------]
> Advisory name: Reverse traversal vulnerability in Monkey (0.1.4) HTTP
> server
> Advisory number: 12
> Application: Monkey (0.1.4) HTTP server
> Application author: Eduardo Silva (EdsipeR)
> Author e-mail: edsiper@linux-chile.org
> Monkey Project: http://monkeyd.sourceforge.net
> Date: 06.09.2002
> Impact: Attacker can read files out of SERVER_ROOT directory
>
> ...
> ======[ Problem
> Monkey doesn't check HTTP request for ../ string, and because of that,
> attacker can view any file out of SERVER_ROOT directory which Monkey can
> read (if Monkey is running under root account, attacker can read any file
> on that machine).
> There is still one thing which will make attack a little more "complicate":
>
> ...
>
> Translated to (poor:) english:
> If our request is / or second char of our request is . , than path will be
> set to SERVER_ROOT, and in that case, we can't go out of SERVER_ROOT
> directory.
>
> Previous "if" will prevent simple reverse traversal attack like this one:
> ---cut here---
> GET /../../../../../../../../../etc/passwd HTTP/1.0
> ---cut here---
>
> But can't prevent this reverse traversal attack:
> ---cut here---
> GET //../../../../../../../../../etc/passwd HTTP/1.0
> ---cut here---
>

 Hi:

    This bug was reported in December 2001 and corrected in following
 versions. Anyway recently was released Monkey 0.5.0.

    Nos vemos
                                             Daniel

-- 

Daniel R. Ome | Adán comió la manzana, y todavía Jujuy - R.A. | nos duelen las muelas. Linux User 165078 | Proverbio húngaro.



Relevant Pages

  • IIL Advisory: Reverse traversal vulnerability in Monkey (0.1.4) HTTP server
    ... Reverse traversal vulnerability in Monkey HTTP ... Attacker can read files out of SERVER_ROOT directory ... Monkey is very simple and fast HTTP server. ...
    (Bugtraq)
  • XSS bug in Monkey (0.5.0) HTTP server
    ... Advisory name: XSS bug in Monkey HTTP server ...
    (Bugtraq)
  • MSN Messenger Security Update 838512
    ... Does the user have to give the "attacker" permission to start a ... conversion for the said attacker to exploit this flaw? ... Will having a good firewall also prevent this attack? ... Monkey ...
    (microsoft.public.windowsxp.messenger)
  • MSN Messenger Security Update 838512
    ... Does the user have to give the "attacker" permission to start a ... conversion for the said attacker to exploit this flaw? ... Will having a good firewall also prevent this attack? ... Monkey ...
    (microsoft.public.windowsxp.messenger)
  • MSN Messenger Security Update 838512
    ... Does the user have to give the "attacker" ... permission to start a conversion for the said attacker to exploit this ... Will having a good firewall also prevent this attack? ... Monkey ...
    (microsoft.public.windowsupdate)