gwebTraversal.txt

gwebTraversal.txt: Posted Mar 3, 2004; Authored by Donato Ferrante | Site autistici.org; GWeb HTTP server version 0.6 is susceptible to a directory traversal bug that allows remote attackers to access files outside of the webroot.; tags | exploit, remote, web; SHA-256 | c20a48105f58c207217782b131ab51bde54557edd4d00995be8d9650ff678743; Download | Favorite | View

gwebTraversal.txt


                           Donato Ferrante


Application:  GWeb HTTP Server
              http://freshmeat.net/projects/gweb/

Version:      0.6

Bug:          directory traversal bug

Author:       Donato Ferrante
              e-mail: fdonato@autistici.org
              web:    www.autistici.org/fdonato


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

1. Description
2. The bug
3. The code
4. The Fix



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

----------------
1. Description:
----------------

Vendor's Description:

"GWeb is a project to develop an HTTP server using Java, making it
small and portable. It will run on any system running the Java
Runtime Environment."


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
2. The bug:
------------

The program doesn't check for malicious patterns like "/../", so an
attacker is able to see and download all the files on the remote
system simply using a browser.



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-------------
3. The code:
-------------

To test the vulnerability:

http://[host]/../../../../../../windows/system.ini

or:

http://[host]/../someFile



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
4. The Fix:
------------

No fix.
The vendor has not answered to my signalations.

If you want, you can use my following little patch, that should fix
the bug for this version of GWeb HTTP Server:

        ...
        ..
        .

(line: 136) String dir="www"+System.getProperty("file.separator");

/* start of patch */

        int f_len = f.length();
        boolean check = false;

        for(int bi = 0; bi < f.length()-2 && check == false; bi++){

                  if(
                     (f.charAt(bi) == '\"') || (f.charAt(bi)=='/') &&
                     (f.charAt(bi+1)=='.') && (f.charAt(bi+2) == '.')

                    ){

                       f_len = 0;
                       check = true;
                     }
        
        else if(
                            (f.charAt(bi)=='.') && 
                            (f.charAt(bi+1) == '.')

                         ){

                             f_len = 0;
                             check = true;
                          }

        }

        if(f_len <= 2) // before "if(f.length()==0)"

/*  end of patch */

        {
            file=dir+"index.html";

        }

        .
        ..
        ...



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Top Authors In Last 30 Days

Red Hat 221 files
Ubuntu 59 files
Debian 30 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
tmrswrr 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,298)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,550)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,453)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

gwebTraversal.txt

gwebTraversal.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

gwebTraversal.txt

Share This

gwebTraversal.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems