SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   pico Server (pServ) Vendors:   pserv.sourceforge.net
pServ Double Slash '//' Input Validation Flaw Discloses Files to Remote Users
SecurityTracker Alert ID:  1008553
SecurityTracker URL:  http://securitytracker.com/id/1008553
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 27 2003
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 3.0 beta 2
Description:   A vulnerability was reported in pico Server (pServ). A remote user can view arbitrary files on the target system with the privileges of the web server.

Donato Ferrante reported that a remote user can request a URL containing double slash characters ('//') to traverse the directory.

A demonstration exploit HTTP GET request is provided:

GET //../ HTTP/1.0\r\n\r\n

Impact:   A remote user can view arbitrary files on the system with the privileges of the pServ daemon.
Solution:   The vendor has released a fixed version, available via CVS. The affected file (main.c) was corrected in 'main.c' file version 1.2 on Saturday, Decemeber 20 00:22:10 2003 UTC.

An unofficial patch is available in the Source Message.

Vendor URL:  sourceforge.net/projects/pserv (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  directory traversal bug in Pserv 3.0b2



                           Donato Ferrante


Application:  PSERV - the small web server
              http://sourceforge.net/projects/pserv

Version:      3.0 beta 2

Bug:          directory traversal bug

Author:       Donato Ferrante
              e-mail: fdonato@autistici.org
              web:    www.autistici.org/fdonato


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

1. Description
2. The bug
3. The code
4. The patch


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

----------------
1. Description:
----------------

Vendor's Description:

"The aim of pServ (pico Server) is to create a portable, small
webserver.
Coded in portable C with Unix being the main reference platform, but
porting is encouraged. Portability and small footprint should enable
the use of pServ on a workstation as well as."


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
2. The bug:
------------

The program, by default, has an anti-directory traversal check, but
this check can be easily bypassed using the double slash ("//") into
the http requests.


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-------------
3. The code:
-------------

To test the pserv's vulnerability simply send to the webserver an http
request string, like that:

                     "GET //../ HTTP/1.0\r\n\r\n"

or generally:

                    GET //../MY_PATH HTTP/1.0\r\n\r\n
                    GET /SOME_DIRECTORY//..//../ HTTP/1.0\r\n\r\n
                        
so the webserver will allow you to go out of the documentsPath
assigned to the webserver, and navigate through the system.


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

--------------
4. The patch:
--------------

To fix the bug simply go on the pserv's official website,
http://sourceforge.net/projects/pserv, and download the latest version
of pserv (see also in CVS).

Or, if you want, you can use my following little patch, that should fix
the bug for the version 3.0b2 of Pserv:


--- main.c	2003-09-22 10:39:24.000000000 +0200
+++ patch.c	2003-12-19 12:40:47.000000000 +0100
@@ -455,6 +455,11 @@
                     dirName[1] = req.documentAddress[2];
                     dirName[2] = req.documentAddress[3];
                     dirName[3] ='\0';
+                    if (dirName[0] == '/')
+                    {
+                        sayError(sock, FORBIDDEN, req.documentAddress, req);
+                        return -1;
+                    }
                     if (!strcmp(dirName, "../"))
                     {
                         sayError(sock, FORBIDDEN, req.documentAddress, req);
@@ -462,6 +467,15 @@
                     }
                 }
                 j = 0;
+                for(i = 1; i < sL; i++) {
+                   if(req.documentAddress[i] == '/')
+                        if(req.documentAddress[i+1] == '/')
+                        {
+                            sayError(sock, FORBIDDEN, req.documentAddress, req);
+                            return -1;
+                        }
+
+		}
                 for (i = 1; i < sL; i++) {
                     if (req.documentAddress[i] == '/')
                     {


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC