exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Sep 25, 2003
Authored by Phuong Nguyen

TCLHttpd version 3.4.2 is susceptible to arbitrary directory browsing when an absolute path is entered against Dirlist.tcl even though it does prevent and filter basic URL attacks. This release also suffers from multiple cross site scripting vulnerabilities.

tags | advisory, arbitrary, vulnerability, xss
SHA-256 | cd7f1d11b3ca6f5557a7089d0ad41c6cfe112cbae11c131b99ae3ae789457d9e


Change Mirror Download
Released Date 09/23/2003

TCLHttpd 3.4.2 - Multiple Vulnerabilities

"TclHttpd is used both as a general-purpose Web
server, and as a framework for building server
applications. It implements Tcl (http://www.tcl.tk),
including the Tcl Resource Center and Scriptics'
electronic commerce facilities. It is also
built into several commercial applications such as
license servers and mail spam filters. Instructions
for setting up the TclHttpd on your platform are given
towards the end of the chapter, on page See The
TclHttpd Distribution. It works on Unix, Windows, and
Macintosh. You can have the server up and running

More information at

Affected Version : TCLHttpd 3.4.2 (latest) and
probably older builds
Tested Platform : Linux(x86)

Mutiple flaws in TCLHttpd server which open door for
an attacker to browse any directories on the remote
host, and to inject malicious javascript/vbscript
content to the user's browser under the TCLHttpd
server context (Cross Site Scripting).

[Vulnerability #1] Arbitrary Directory Browsing

When a user requests a directory on TCLHttpd server,
httpdthread.tcl will start to look for various default
index file names in that directory, if none can be
found then it will pass the operation to dirlist.tcl
script to do the "fancy" directory listing which
provides users the ability to sort files by modify
date, name, size or file's pattern. Dirlist.tcl script
filter inputs from the users in order to prevent
directory traversal but it can be easily bypassed if
an absolute path was entered. Directory listing is
enabled by default.

For example: Requesting
http://abc.com/images/?pattern=/*&sort=name will
return you a list of directory under /

[Vulnerability #2] Cross Site Scripting (XSS)

TCLHttpd web server comes with various modules in
order to increase the flexibility of the server, and
/debug module is enable by default which allows you to
download logging information, debug the Tcl part of
the application without restarting the hosting
application. Many modules are suffered from the
multiple Cross Site Scripting (XSS) vulnerabilities
that potentially enable a malicious user to "inject"
code into a user's session under TCLHttpd server
context. I'm going to use the /debug module as an


You can eliminate the threats from these
vulnerabilities by editing your httpdthread.tcl and
comment out the directory listing option, also you
should disable the folowwing modules to prevent Cross
Site Scripting: Status, Debug, Mail and Admin.

Notes: Disabling some modules in your TCLhttpd
configuration might decrease the flexibility of your

Vendor has been notified.

Phuong Nguyen

Login or Register to add favorites

File Archive:

March 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    13 Files
  • 3
    Mar 3rd
    15 Files
  • 4
    Mar 4th
    0 Files
  • 5
    Mar 5th
    0 Files
  • 6
    Mar 6th
    16 Files
  • 7
    Mar 7th
    31 Files
  • 8
    Mar 8th
    16 Files
  • 9
    Mar 9th
    13 Files
  • 10
    Mar 10th
    9 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    10 Files
  • 14
    Mar 14th
    6 Files
  • 15
    Mar 15th
    17 Files
  • 16
    Mar 16th
    22 Files
  • 17
    Mar 17th
    13 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    16 Files
  • 21
    Mar 21st
    13 Files
  • 22
    Mar 22nd
    5 Files
  • 23
    Mar 23rd
    6 Files
  • 24
    Mar 24th
    47 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By