A vulnerability has been found in Dan Brumleve's Brown Orifice HTTPD (BOHTTPD) which is a web server and file sharing tool that runs as a Java Applet in Netscape Navigator.
5bd5a93be1101366bfe29db0b460f4114ad5b04899e9671f365420621b49d9d5
=====================================================
Brown Orifice HTTPD Directory Traversal Vulnerability
=====================================================
Background
----------
Brown Orifice HTTPD (BOHTTPD) <http://www.brumleve.com/BrownOrifice/>
is "a web server and file sharing tool" that runs as a Java Applet in
Netscape Navigator.(*1) It was written by Dan Brumleve and was
announced in BugTraq a few days ago.
Problem Description
-------------------
Brumleve's demonstration page politely asks users to specify a
directory on their computer for public access. However, by specifying
"\.." in HTTP requests to the server, an attacker can navigate the
server's file system and view/download any files. For example,
http://your-ip-address:8080/C:/temp/\../
or
http://your-ip-address:8080/C:/temp/%5C../ (for Internet Explorer
as a client)
will display the contents of the root directory of C: drive of the
server's computer.
Affected versions and platforms
-------------------------------
This bug has been verified to be present on the BOHTTPD 0.1 in
Netscape Navigator 4.72 for Windows.
Workaround
----------
Do not use BOHTTPD. :-)
(*1) This is also a security hole per se, as you know.
Regards,
--
Hiromitsu Takagi
Electrotechnical Laboratory
http://www.etl.go.jp/~takagi/