gwebTraversal.txt

gwebTraversal.txt: Posted Mar 3, 2004; Authored by Donato Ferrante | Site autistici.org; GWeb HTTP server version 0.6 is susceptible to a directory traversal bug that allows remote attackers to access files outside of the webroot.; tags | exploit, remote, web; SHA-256 | c20a48105f58c207217782b131ab51bde54557edd4d00995be8d9650ff678743; Download | Favorite | View

gwebTraversal.txt


                           Donato Ferrante


Application:  GWeb HTTP Server
              http://freshmeat.net/projects/gweb/

Version:      0.6

Bug:          directory traversal bug

Author:       Donato Ferrante
              e-mail: fdonato@autistici.org
              web:    www.autistici.org/fdonato


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

1. Description
2. The bug
3. The code
4. The Fix



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

----------------
1. Description:
----------------

Vendor's Description:

"GWeb is a project to develop an HTTP server using Java, making it
small and portable. It will run on any system running the Java
Runtime Environment."


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
2. The bug:
------------

The program doesn't check for malicious patterns like "/../", so an
attacker is able to see and download all the files on the remote
system simply using a browser.



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-------------
3. The code:
-------------

To test the vulnerability:

http://[host]/../../../../../../windows/system.ini

or:

http://[host]/../someFile



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
4. The Fix:
------------

No fix.
The vendor has not answered to my signalations.

If you want, you can use my following little patch, that should fix
the bug for this version of GWeb HTTP Server:

        ...
        ..
        .

(line: 136) String dir="www"+System.getProperty("file.separator");

/* start of patch */

        int f_len = f.length();
        boolean check = false;

        for(int bi = 0; bi < f.length()-2 && check == false; bi++){

                  if(
                     (f.charAt(bi) == '\"') || (f.charAt(bi)=='/') &&
                     (f.charAt(bi+1)=='.') && (f.charAt(bi+2) == '.')

                    ){

                       f_len = 0;
                       check = true;
                     }
        
        else if(
                            (f.charAt(bi)=='.') && 
                            (f.charAt(bi+1) == '.')

                         ){

                             f_len = 0;
                             check = true;
                          }

        }

        if(f_len <= 2) // before "if(f.length()==0)"

/*  end of patch */

        {
            file=dir+"index.html";

        }

        .
        ..
        ...



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Top Authors In Last 30 Days

Red Hat 282 files
Jay Turla 150 files
indoushka 149 files
Ubuntu 69 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
Gentoo 31 files
H D Moore 31 files
Debian 30 files

File Archives

Systems

AIX (429)
Apple (2,104)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,117)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (880)
iOS (387)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,059)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,725)
Slackware (941)
Solaris (1,614)
SUSE (1,444)
Ubuntu (9,806)
UNIX (9,449)
UnixWare (187)
Windows (6,762)
Other

gwebTraversal.txt

gwebTraversal.txt

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

gwebTraversal.txt

Share This

gwebTraversal.txt

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems