what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

nullhttpd.xss.txt

nullhttpd.xss.txt
Posted Sep 25, 2003
Authored by Luigi Auriemma | Site aluigi.altervista.org

NULLhttpd version 0.5.1 and below is vulnerable to a simple cross-site scripting attack.

tags | advisory, xss
SHA-256 | 9bd9eaaee3c3e86fe3542b65ecfc1b31fb82cef2f2febf220de60c32a9c33f01

nullhttpd.xss.txt

Change Mirror Download
#######################################################################

Luigi Auriemma

Application: NULLhttpd
http://nullhttpd.sourceforge.net/httpd/
Versions: <= 0.5.1
Platforms: All supported (Win & Unix)
Bug: Cross site scripting
Risk: Low
Author: Luigi Auriemma
e-mail: aluigi@altervista.org
web: http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


"Null httpd is a very small, simple and multithreaded web server for
Linux and Windows."
However, as said by the author Dan Cahill, this server has not been
developed for production servers or for quality and security.



#######################################################################

======
2) Bug
======


That's not the first time that a XSS (cross site scripting) bug is
found in NULLhttpd, in fact this bug was already fixed in the 0.5.1
version released one year ago, but unfortunally some "problems" in the
code let this bug to be replicated (also if it already existed in
previouses versions)

The problem in fact is that a too long HTTP request overwrites some
string of data in memory (however I have not debugged it so there are
no details about) and the effect is the bypass of the check made by
NULLhttpd to avoid XSS and a returned 400 (Bad Request) error page with
the XSS code.


Example:

http://server/ [1799 bytes] [243 bytes]
| |
| here starts the XSS code that can be max
| 243 bytes big
chars needed to avoid the XSS check



Answer from NULLhttpd:

----
HTTP/1.0 200 OK
Cache-Control: no-store
Connection: Close
Content-Length: 472
Date: Tue, 23 Sep 2003 11:39:30 GMT
Expires: Tue, 23 Sep 2003 11:39:30 GMT
Last-Modified:
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaano-cache
Pragma: no-cache
Server: Null httpd 0.5.1
Content-Type: text/html

<script>alert('hello');</script>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxx<HTML><HEAD><TITLE>400 Bad Request</TITLE></HEAD>
<BODY BGCOLOR=#F0F0F0 TEXT=#000000 LINK=#0000FF ALINK=#0000FF VLINK=#0000FF>
<H1>400 Bad Request</H1>
Can't Parse Request.
<HR>
<ADDRESS>Null httpd 0.5.1</ADDRESS>
</BODY></HTML>
----




#######################################################################


===========
3) The Code
===========


Exploiting the problem is too simple, however I have released an html
file with a link (I have used 127.0.0.1 as server so modify it) that
does the work:

http://aluigi.altervista.org/nullhttpd051-xss.htm



#######################################################################

======
4) Fix
======


No fix.
The author has been contacted over 10 days ago but I have not received
an answer until now.



#######################################################################
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close