directory traversal in GWeb 0.6

From: Donato Ferrante (fdonato_at_autistici.org)
Date: 03/03/04

  • Next message: please_reply_to_security_at_sco.com: "OpenLinux: rsync heap based overflow"
    Date: Wed, 3 Mar 2004 12:42:13 -0000
    To: <bugtraq@securityfocus.com>
    
    

                               Donato Ferrante

    Application: GWeb HTTP Server
                  http://freshmeat.net/projects/gweb/

    Version: 0.6

    Bug: directory traversal bug

    Author: Donato Ferrante
                  e-mail: fdonato@autistici.org
                  web: www.autistici.org/fdonato

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    1. Description
    2. The bug
    3. The code
    4. The Fix

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    ----------------
    1. Description:
    ----------------

    Vendor's Description:

    "GWeb is a project to develop an HTTP server using Java, making it
    small and portable. It will run on any system running the Java
    Runtime Environment."

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    ------------
    2. The bug:
    ------------

    The program doesn't check for malicious patterns like "/../", so an
    attacker is able to see and download all the files on the remote
    system simply using a browser.

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    -------------
    3. The code:
    -------------

    To test the vulnerability:

    http://[host]/../../../../../../windows/system.ini

    or:

    http://[host]/../someFile

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    ------------
    4. The Fix:
    ------------

    No fix.
    The vendor has not answered to my signalations.

    If you want, you can use my following little patch, that should fix
    the bug for this version of GWeb HTTP Server:

            ...
            ..
            .

    (line: 136) String dir="www"+System.getProperty("file.separator");

    /* start of patch */

            int f_len = f.length();
            boolean check = false;

            for(int bi = 0; bi < f.length()-2 && check == false; bi++){

                      if(
                         (f.charAt(bi) == '\"') || (f.charAt(bi)=='/') &&
                         (f.charAt(bi+1)=='.') && (f.charAt(bi+2) == '.')

                        ){

                           f_len = 0;
                           check = true;
                         }
                        
                        else if(
                                (f.charAt(bi)=='.') &&
                                (f.charAt(bi+1) == '.')

                             ){

                                 f_len = 0;
                                 check = true;
                              }

            }

            if(f_len <= 2) // before "if(f.length()==0)"

    /* end of patch */

            {
                file=dir+"index.html";

            }

            .
            ..
            ...

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx


  • Next message: please_reply_to_security_at_sco.com: "OpenLinux: rsync heap based overflow"

    Relevant Pages

    • [Un] Unangband 0.6.3 released
      ... Allow player to assemble friendly monsters and carry eggs to hatch ... Updated druidic spells to use new region code. ... Fix lockup bugs generating the Old Forest. ... Fix bug where items dropped by monster death would infinitely ...
      (rec.games.roguelike.announce)
    • please pull from the trivial tree
      ... Fix spelling in E1000_DISABLE_PACKET_SPLIT Kconfig description ... +- Finding patch that caused a bug ... +Always try the latest kernel from kernel.org and build from source. ... Length of input string in bytes ...
      (Linux-Kernel)
    • Subterrane v0.194 Alpha Released
      ... system, a character sheet, a ton of new spells, new monsters, item ... Added a character sheet that displays your character's ... Fix: Fixed a bug in the encumbrance calculation and status display ...
      (rec.games.roguelike.announce)
    • Re: Larkin, Power BASIC cannot be THAT good:
      ... If they did not produce a product with *adequate* quality then customers would not buy it and the company would not make a profit. ... it is to change a product in the field, and Y axis is bug density. ... but when the in service fix is almost free to the supplier then they will exploit that to their advantage. ... On-screen programming is pretty much type and ignite and see what ...
      (sci.electronics.design)
    • Re: [ulipad:2586] [ANN]UliPad 3.9 released!
      ... UliPad is a flexible editor, ... Change setmenutext to use fix width to set the menu text, ... Bug fix: ...
      (comp.lang.python)