webfs 'ls.c' Long Pathname Buffer Overflow Permits Code Execution and 'vhosts' Input Validation Flaw Discloses Files to Remote Users
|
|
SecurityTracker Alert ID: 1007835 |
|
SecurityTracker URL: http://securitytracker.com/id/1007835
|
|
CVE Reference:
CAN-2003-0832, CAN-2003-0833
(Links to External Site)
|
Updated: Dec 1 2003
|
Original Entry Date: Sep 30 2003
|
Impact:
Disclosure of system information, Disclosure of user information, Execution of arbitrary code via local system, User access via local system
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): prior to 1.20
|
Description:
Two vulnerabilities were reported in the webfs HTTP server. In certain cases, a remote user can view files on the system. A local user can trigger a buffer overflow and potentially execute arbitrary code on the system.
It is reported that if virtual hosting (vhosts) is enabled, a remote user can submit a specially crafted HTTP request with '..' as the host name to view files on the system that are located outside of the web document directory (CVE: CAN-2003-0832).
It is also reported that a buffer overflow exists in 'ls.c' in the processing of "very long" file names. A local user (or a remote authenticated user) can create a long pathname in a directory that is within the web document directory or otherwise accessible to the web server. Then, a remote user can request a URL that includes the pathname to trigger a stack overflow and execute arbitrary code (CVE: CAN-2003-0833).
The two flaws can be exploited in combination, the report said. A local user can create the malicious pathname in the '/var/tmp' directory, for example. Then, a remote user can trigger the buffer overflow by exploiting the directory traversal flaw to access the malicious directory name.
Jens Steube is credited with reporting these flaws.
|
Impact:
A remote user can view files on the system that are located outside of the web document directory and are readable by the webfsd process [when virutal hosting is enabled].
A local user can create a pathname that will cause arbitrary code to be executed when a URL for that pathname is requested by a remote user. The code will execute with the privileges of the webfsd process.
|
Solution:
The vendor has released a fixed version (1.20), available at:
http://bytesex.org/misc/webfs_1.20.tar.gz
|
Vendor URL: bytesex.org/webfs.html (Links to External Site)
|
Cause:
Boundary error, Input validation error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Tue, 30 Sep 2003 01:56:50 -0400
Subject: webfs
|
CVE: CAN-2003-0832 CAN-2003-0833
Debian reported some vulnerabilities in the webfs HTTP server:
> CAN-2003-0832 - When virtual hosting is enabled, a remote client
> could specify ".." as the hostname in a request, allowing retrieval
> of directory listings or files above the document root.
>
> CAN-2003-0833 - A long pathname could overflow a buffer allocated on
> the stack, allowing execution of arbitrary code. In order to exploit
> this vulnerability, it would be necessary to be able to create
> directories on the server in a location which could be accessed by
> the web server. In conjunction with CAN-2003-0832, this could be a
> world-writable directory such as /var/tmp.
Jens Steube is credited with reporting these flaws.
|
|
