xweb version 1.0 is susceptible to a directory traversal attack that allows viewing of files outside of the web root.
60b21d81251bb77af83e0f1e4ca6d1adf6571fe672b763de3f470ec726a71428
Donato Ferrante
Application: xweb
http://in.geocities.com/shamit_bagchi
Version: 1.0
Bug: directory traversal bug
Author: Donato Ferrante
e-mail: fdonato@autistici.org
web: www.autistici.org/fdonato
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
1. Description
2. The bug
3. The code
4. The fix
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
----------------
1. Description:
----------------
xweb is a free HTTP server, for Linux based systems.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
------------
2. The bug:
------------
The program doesn't check for malicious patterns like "/../", so an
attacker is able to see and download all the files on the remote
system simply using a browser.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-------------
3. The code:
-------------
To test the vulnerability:
http://[host]/../../../../etc/passwd
or:
http://[host]/../someFile
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
------------
4. The fix:
------------
Vendor was contacted.
Bug will be probably fixed in the next version of xweb.
If you want, you can use my following little patch, that should fix
the bug for this version of xweb:
.
..
...
(line: 233 of server.c) pstr[i]='\0';
/* start of patch */
int d = 0,
found = 1;
for( ; d < strlen(secondstr)-1 && found == 1; d++ ) {
if( (secondstr[d] == '.') && (secondstr[d+1] == '.') )
found = 0;
}
if(found == 0)
strcpy(secondstr, "/");
/* end of patch */
...
..
.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed