SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   XWeb Vendors:   Bagchi, Shamit
XWeb '../' Input Validation Flaw Discloses Files to Remote Users
SecurityTracker Alert ID:  1009514
SecurityTracker URL:  http://securitytracker.com/id/1009514
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 22 2004
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.0
Description:   An input validation vulnerability was reported in the XWeb web server software. A remote user can traverse the directory and view files located outside of the web document directory.

Donato Ferrante reported that a remote user can supply a specially crafted URL containing the '../' directory traversal characters to view files on the system with the privileges of the web service.

Some demonstration exploit URLs are provided:

http://[host]/../../../../etc/passwd

http://[host]/../someFile

Impact:   A remote user can view arbitrary specified files on the target system with the privileges of the web service.
Solution:   No solution was available at the time of this entry. The author of the report has provided an unofficial fix, available in the Source Message. This same fix has been posted to the vendor's web site.
Vendor URL:  in.geocities.com/shamit_bagchi (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  http://www.autistici.org/fdonato/advisory/xweb1.0-adv.txt


http://www.autistici.org/fdonato/advisory/xweb1.0-adv.txt

                            Donato Ferrante


Application:  xweb
               http://in.geocities.com/shamit_bagchi

Version:      1.0

Bug:          directory traversal bug

Author:       Donato Ferrante
               e-mail: fdonato@autistici.org
               web:    www.autistici.org/fdonato


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

1. Description
2. The bug
3. The code
4. The fix



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

----------------
1. Description:
----------------

xweb is a free HTTP server, for Linux based systems.



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
2. The bug:
------------

The program doesn't check for malicious patterns like "/../", so an
attacker is able to see and download all the files on the remote
system simply using a browser.



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-------------
3. The code:
-------------

To test the vulnerability:

http://[host]/../../../../etc/passwd

or:

http://[host]/../someFile



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
4. The fix:
------------

Vendor was contacted.
Bug will be probably fixed in the next version of xweb.



If you want, you can use my following little patch, that should fix
the bug for this version of xweb:

         .
         ..
         ...

(line: 233 of server.c) pstr[i]='\0';

/* start of patch */


int d = 0,
     found = 1;

for( ; d < strlen(secondstr)-1 && found == 1; d++ ) {
             if( (secondstr[d] == '.') && (secondstr[d+1] == '.') )
                  found = 0;
}

if(found == 0)
      strcpy(secondstr, "/");


/* end of patch */

         ...
         ..
         .



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC