NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 2000-08

Subject: Re: Brown Orifice HTTPD Directory Traversal Vulnerability (was Re : Dangerous Java/Netscape Security Hole)
From: Wilson, Brian F (Brian.WilsonBNSF.COM)
Date: Tue Aug 08 2000 - 11:41:11 CDT

Next message: dies: "Open IP Directed Broadcast List..."
Previous message: debian-security-announceLISTS.DEBIAN.ORG: "[SECURITY] New version of mailx released"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Additional Info...

A simpler traversal option is to click on the "Up to higher level directory"
link when browsing the affected machine. This has worked on all of the
windows machines that I've visited with BOHTTPD Spy.

I have gotten 'Permission Denied.' messages on some machines that appeared
to be *ix platforms when trying to traverse higher than the 'share point'.

-Brian Wilson

-----Original Message-----
From: TAKAGI, Hiromitsu [mailto:takagiETL.GO.JP]
Sent: Tuesday, August 08, 2000 8:43 AM
To: BUGTRAQSECURITYFOCUS.COM
Subject: Brown Orifice HTTPD Directory Traversal Vulnerability (was Re:
Dangerous Java/Netscape Security Hole)

=====================================================
Brown Orifice HTTPD Directory Traversal Vulnerability
=====================================================

Background
----------
  Brown Orifice HTTPD (BOHTTPD) <http://www.brumleve.com/BrownOrifice/>
  is "a web server and file sharing tool" that runs as a Java Applet in
  Netscape Navigator.(*1) It was written by Dan Brumleve and was
  announced in BugTraq a few days ago.

Problem Description
-------------------
  Brumleve's demonstration page politely asks users to specify a
  directory on their computer for public access. However, by specifying
  "\.." in HTTP requests to the server, an attacker can navigate the
  server's file system and view/download any files. For example,
      http://your-ip-address:8080/C:/temp/\../
  or
      http://your-ip-address:8080/C:/temp/%5C../ (for Internet Explorer
      as a client)
  will display the contents of the root directory of C: drive of the
  server's computer.

Affected versions and platforms
-------------------------------
This bug has been verified to be present on the BOHTTPD 0.1 in
Netscape Navigator 4.72 for Windows.

Workaround
----------
Do not use BOHTTPD. :-)

(*1) This is also a security hole per se, as you know.

Regards,

--
Hiromitsu Takagi
Electrotechnical Laboratory
http://www.etl.go.jp/~takagi/

Next message: dies: "Open IP Directed Broadcast List..."
Previous message: debian-security-announceLISTS.DEBIAN.ORG: "[SECURITY] New version of mailx released"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]