NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 2000-08

Subject: Brown Orifice HTTPD Directory Traversal Vulnerability (was Re: Dangerous Java/Netscape Security Hole)
From: TAKAGI, Hiromitsu (takagiETL.GO.JP)
Date: Tue Aug 08 2000 - 08:42:37 CDT

Next message: Vladimir Dubrovin: "reporting local security problems for WinNT (Re: Escalation of privileges)"
Previous message: Paul Szabo: "Re: sperl 5.00503 (and newer ;) exploit"
In reply to: Dan Brumleve: "Dangerous Java/Netscape Security Hole"
Next in thread: Michael H. Warfield: "Re: Brown Orifice HTTPD Directory Traversal Vulnerability (was Re: Dangerous Java/Netscape Security Hole)"
Reply: TAKAGI, Hiromitsu: "Brown Orifice HTTPD Directory Traversal Vulnerability (was Re: Dangerous Java/Netscape Security Hole)"
Reply: Michael H. Warfield: "Re: Brown Orifice HTTPD Directory Traversal Vulnerability (was Re: Dangerous Java/Netscape Security Hole)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

=====================================================
Brown Orifice HTTPD Directory Traversal Vulnerability
=====================================================

Background
----------
  Brown Orifice HTTPD (BOHTTPD) <http://www.brumleve.com/BrownOrifice/>
  is "a web server and file sharing tool" that runs as a Java Applet in
  Netscape Navigator.(*1) It was written by Dan Brumleve and was
  announced in BugTraq a few days ago.

Problem Description
-------------------
  Brumleve's demonstration page politely asks users to specify a
  directory on their computer for public access. However, by specifying
  "\.." in HTTP requests to the server, an attacker can navigate the
  server's file system and view/download any files. For example,
      http://your-ip-address:8080/C:/temp/\../
  or
      http://your-ip-address:8080/C:/temp/%5C../ (for Internet Explorer
      as a client)
  will display the contents of the root directory of C: drive of the
  server's computer.

Affected versions and platforms
-------------------------------
This bug has been verified to be present on the BOHTTPD 0.1 in
Netscape Navigator 4.72 for Windows.

Workaround
----------
Do not use BOHTTPD. :-)

(*1) This is also a security hole per se, as you know.

Regards,

--
Hiromitsu Takagi
Electrotechnical Laboratory
http://www.etl.go.jp/~takagi/

Next message: Vladimir Dubrovin: "reporting local security problems for WinNT (Re: Escalation of privileges)"
Previous message: Paul Szabo: "Re: sperl 5.00503 (and newer ;) exploit"
In reply to: Dan Brumleve: "Dangerous Java/Netscape Security Hole"
Next in thread: Michael H. Warfield: "Re: Brown Orifice HTTPD Directory Traversal Vulnerability (was Re: Dangerous Java/Netscape Security Hole)"
Reply: TAKAGI, Hiromitsu: "Brown Orifice HTTPD Directory Traversal Vulnerability (was Re: Dangerous Java/Netscape Security Hole)"
Reply: Michael H. Warfield: "Re: Brown Orifice HTTPD Directory Traversal Vulnerability (was Re: Dangerous Java/Netscape Security Hole)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]