directory traversal bug in Pserv 3.0b2

• Previous message: http-equiv_at_excite.com: "DANGER ZONE: Internet Explorer"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 24 Dec 2003 17:31:21 +0100
To: bugtraq@securityfocus.com

                           Donato Ferrante

Application: PSERV - the small web server
              http://sourceforge.net/projects/pserv

Version: 3.0 beta 2

Bug: directory traversal bug

Author: Donato Ferrante
              e-mail: fdonato@autistici.org
              web: www.autistici.org/fdonato

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

1. Description
2. The bug
3. The code
4. The patch

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

----------------
1. Description:
----------------

Vendor's Description:

"The aim of pServ (pico Server) is to create a portable, small
webserver.
Coded in portable C with Unix being the main reference platform, but
porting is encouraged. Portability and small footprint should enable
the use of pServ on a workstation as well as."

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
2. The bug:
------------

The program, by default, has an anti-directory traversal check, but
this check can be easily bypassed using the double slash ("//") into
the http requests.

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-------------
3. The code:
-------------

To test the pserv's vulnerability simply send to the webserver an http
request string, like that:

                     "GET //../ HTTP/1.0\r\n\r\n"

or generally:

                    GET //../MY_PATH HTTP/1.0\r\n\r\n
                    GET /SOME_DIRECTORY//..//../ HTTP/1.0\r\n\r\n
                        
so the webserver will allow you to go out of the documentsPath
assigned to the webserver, and navigate through the system.

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

--------------
4. The patch:
--------------

To fix the bug simply go on the pserv's official website,
http://sourceforge.net/projects/pserv, and download the latest version
of pserv (see also in CVS).

Or, if you want, you can use my following little patch, that should fix
the bug for the version 3.0b2 of Pserv:

--- main.c 2003-09-22 10:39:24.000000000 +0200
+++ patch.c 2003-12-19 12:40:47.000000000 +0100
@@ -455,6 +455,11 @@
                     dirName[1] = req.documentAddress[2];
                     dirName[2] = req.documentAddress[3];
                     dirName[3] ='\0';
+ if (dirName[0] == '/')
+ {
+ sayError(sock, FORBIDDEN, req.documentAddress, req);
+ return -1;
+ }
                     if (!strcmp(dirName, "../"))
                     {
                         sayError(sock, FORBIDDEN, req.documentAddress, req);
@@ -462,6 +467,15 @@
                     }
                 }
                 j = 0;
+ for(i = 1; i < sL; i++) {
+ if(req.documentAddress[i] == '/')
+ if(req.documentAddress[i+1] == '/')
+ {
+ sayError(sock, FORBIDDEN, req.documentAddress, req);
+ return -1;
+ }
+
+ }
                 for (i = 1; i < sL; i++) {
                     if (req.documentAddress[i] == '/')
                     {

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

• Previous message: http-equiv_at_excite.com: "DANGER ZONE: Internet Explorer"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]