OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Brown Orifice HTTPD Directory Traversal Vulnerability (was Re: Dangerous Java/Netscape Security Hole)
From: Michael H. Warfield (mhwWITTSEND.COM)
Date: Tue Aug 08 2000 - 11:15:05 CDT

On Tue, Aug 08, 2000 at 10:42:37PM +0900, TAKAGI, Hiromitsu wrote:
        [...]

> Problem Description
> -------------------
> Brumleve's demonstration page politely asks users to specify a
> directory on their computer for public access. However, by specifying
> "\.." in HTTP requests to the server, an attacker can navigate the
> server's file system and view/download any files. For example,
> http://your-ip-address:8080/C:/temp/\../
> or
> http://your-ip-address:8080/C:/temp/%5C../ (for Internet Explorer
> as a client)
> will display the contents of the root directory of C: drive of the
> server's computer.

> Affected versions and platforms
> -------------------------------
> This bug has been verified to be present on the BOHTTPD 0.1 in
> Netscape Navigator 4.72 for Windows.

        This does not appear to be effective against Netscape Communicator
4.74 on Linux. I get permission denied for any plain ".." in the path
anywhere and anything with "\.." or "%5c.." gets a Java runtime error
complaining that the directory "\.." was not found.

> Workaround
> ----------
> Do not use BOHTTPD. :-)

        :-)

        Mike 

--
 Michael H. Warfield    |  (770) 985-6132   |  mhwWittsEnd.com
  (The Mad Wizard)      |  (770) 331-2437   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!