===================================================== Brown Orifice HTTPD Directory Traversal Vulnerability ===================================================== Background ---------- Brown Orifice HTTPD (BOHTTPD) is "a web server and file sharing tool" that runs as a Java Applet in Netscape Navigator.(*1) It was written by Dan Brumleve and was announced in BugTraq a few days ago. Problem Description ------------------- Brumleve's demonstration page politely asks users to specify a directory on their computer for public access. However, by specifying "\.." in HTTP requests to the server, an attacker can navigate the server's file system and view/download any files. For example, http://your-ip-address:8080/C:/temp/\../ or http://your-ip-address:8080/C:/temp/%5C../ (for Internet Explorer as a client) will display the contents of the root directory of C: drive of the server's computer. Affected versions and platforms ------------------------------- This bug has been verified to be present on the BOHTTPD 0.1 in Netscape Navigator 4.72 for Windows. Workaround ---------- Do not use BOHTTPD. :-) (*1) This is also a security hole per se, as you know. Regards, -- Hiromitsu Takagi Electrotechnical Laboratory http://www.etl.go.jp/~takagi/