Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Web Server/CGI)  >   pico Server (pServ) Vendors:
pServ Double Slash '//' Input Validation Flaw Discloses Files to Remote Users
SecurityTracker Alert ID:  1008553
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 27 2003
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 3.0 beta 2
Description:   A vulnerability was reported in pico Server (pServ). A remote user can view arbitrary files on the target system with the privileges of the web server.

Donato Ferrante reported that a remote user can request a URL containing double slash characters ('//') to traverse the directory.

A demonstration exploit HTTP GET request is provided:

GET //../ HTTP/1.0\r\n\r\n

Impact:   A remote user can view arbitrary files on the system with the privileges of the pServ daemon.
Solution:   The vendor has released a fixed version, available via CVS. The affected file (main.c) was corrected in 'main.c' file version 1.2 on Saturday, Decemeber 20 00:22:10 2003 UTC.

An unofficial patch is available in the Source Message.

Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents

Subject:  directory traversal bug in Pserv 3.0b2

                           Donato Ferrante

Application:  PSERV - the small web server

Version:      3.0 beta 2

Bug:          directory traversal bug

Author:       Donato Ferrante


1. Description
2. The bug
3. The code
4. The patch


1. Description:

Vendor's Description:

"The aim of pServ (pico Server) is to create a portable, small
Coded in portable C with Unix being the main reference platform, but
porting is encouraged. Portability and small footprint should enable
the use of pServ on a workstation as well as."


2. The bug:

The program, by default, has an anti-directory traversal check, but
this check can be easily bypassed using the double slash ("//") into
the http requests.


3. The code:

To test the pserv's vulnerability simply send to the webserver an http
request string, like that:

                     "GET //../ HTTP/1.0\r\n\r\n"

or generally:

                    GET //../MY_PATH HTTP/1.0\r\n\r\n
                    GET /SOME_DIRECTORY//..//../ HTTP/1.0\r\n\r\n
so the webserver will allow you to go out of the documentsPath
assigned to the webserver, and navigate through the system.


4. The patch:

To fix the bug simply go on the pserv's official website,, and download the latest version
of pserv (see also in CVS).

Or, if you want, you can use my following little patch, that should fix
the bug for the version 3.0b2 of Pserv:

--- main.c	2003-09-22 10:39:24.000000000 +0200
+++ patch.c	2003-12-19 12:40:47.000000000 +0100
@@ -455,6 +455,11 @@
                     dirName[1] = req.documentAddress[2];
                     dirName[2] = req.documentAddress[3];
                     dirName[3] ='\0';
+                    if (dirName[0] == '/')
+                    {
+                        sayError(sock, FORBIDDEN, req.documentAddress, req);
+                        return -1;
+                    }
                     if (!strcmp(dirName, "../"))
                         sayError(sock, FORBIDDEN, req.documentAddress, req);
@@ -462,6 +467,15 @@
                 j = 0;
+                for(i = 1; i < sL; i++) {
+                   if(req.documentAddress[i] == '/')
+                        if(req.documentAddress[i+1] == '/')
+                        {
+                            sayError(sock, FORBIDDEN, req.documentAddress, req);
+                            return -1;
+                        }
+		}
                 for (i = 1; i < sL; i++) {
                     if (req.documentAddress[i] == '/')



Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC