Directory traversal and XSS in BremsServer 1.2.4

From: Donato Ferrante (fdonato_at_autistici.org)
Date: 01/26/04

Next message: bugzilla_at_redhat.com: "[RHSA-2004:032-01] Updated Gaim packages fix various vulnerabiliies"

Previous message: Crispin Cowan: "Re: Major hack attack on the U.S. Senate"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <bugtraq@securityfocus.com>
Date: Mon, 26 Jan 2004 14:48:22 +0100

Donato Ferrante

Application: BremsServer
http://www.herberlin.de/

Version: 1.2.4

Bugs: directory traversal and cross site scripting

Author: Donato Ferrante
e-mail: fdonato@autistici.org
web: www.autistici.org/fdonato

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

1. Description
2. The bugs
3. The code
4. The fix

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

----------------
1. Description:
----------------

Vendor's Description:

"Herberlin BremsServer is a small HTTP server you can use to test your
web pages on your local machine."

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-------------
2. The bugs:
-------------

[1] directory traversal bug, the program does't make a good check on
    the user input string ( /../ ) so an attacker is able to see and
    download all the files on the remote system simply using his
    browser.

[2] cross site scripting bug, the program doesn't make a full check
on the strings sent by the client, in fact the input strings are
not filtered and they will appear in the returned page.

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-------------
3. The code:
-------------

To test the vulnerabilities:

[1]

http://[host]/../PATH/windows/system.ini

[2]

http://[host]/<script>alert("Test")</script>

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
4. The fix:
------------

Bugs will be fixed in the next version of BremsServer. So go on the
BremsServer's official web site: http://www.herberlin.de/
and check for a new version.

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Next message: bugzilla_at_redhat.com: "[RHSA-2004:032-01] Updated Gaim packages fix various vulnerabiliies"

Previous message: Crispin Cowan: "Re: Major hack attack on the U.S. Senate"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Weekly Python Patch/Bug Summary
... Fix pydoc crashing on unicode strings ... New / Reopened Bugs ... special methods become static ... Incorrect length of unicode strings using .encode ...
(comp.lang.python)
Re: 2.6.21-rc7-mm2
... a number of nasty bugs were fixed. ... Fix git-agpgart.patch ... rtc: lost some interrupts at 1024Hz. ...
(Linux-Kernel)
Re: Does Borland release patches for free?
... > If by a stamp you mean a QA stamp, rather than a postage stamp, then ... > production running I want my clients to know that I test my own code ... and it the fix made a huge speed difference, it wasnt a borland fix, ... I have very few bugs ...
(borland.public.delphi.non-technical)
2.6.21-rc7-mm2
... a number of nasty bugs were fixed. ... the 64-bit futex patches and the private-futex patches were ... Fix git-agpgart.patch ... IDE tree updates ...
(Linux-Kernel)
Re: Office 2004 SP1 - What did it Fix??
... where it takes decades for bugs to ... The fact that this release doesn't fix an issue as obvious as the one ... > MS apparently really is using the Error Reporting to find bugs and to ... So do, everyone, keep sending in reports. ...
(microsoft.public.mac.office.entourage)