Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Sergey Nenashev (alfNTVI.RU)
Date: Fri Feb 02 2001 - 06:30:12 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


    We have found a bug in the GoAhead WebServer, v.2.0 and v.2.1.

    Attacker can get any file from the drive, where web-server was installed.

    try follow request


    This vulnerability may allow an attacker to execute code with the
    privileges of the GoAhead ( Administrator? or root? )


    Patch for this vulnerability:

    in file: url.c
    in function websUrlParse(...)

    int websUrlParse(char_t *url, char_t **pbuf, char_t **phost, char_t **ppath,
            char_t **pport, char_t **pquery, char_t **pproto, char_t **ptag,
            char_t **pext)
            char_t *tok, *cp, *host, *path, *port, *proto, *tag, *query, *ext, *slash;
            char_t *last_delim, *hostbuf, *portbuf, *buf;
            int c, len, ulen;


            ulen = gstrlen(url);

     * Deny directory traversal vulnerability

            while((slash = strchr(url, '\\')) != NULL) {
                            *slash = '/';

     * We allocate enough to store separate hostname and port number fields.
     * As there are 3 strings in the one buffer, we need room for 3 null chars.
     * We allocate MAX_PORT_LEN char_t's for the port number.

    Sergey Nenashev <alfntvi.ru>
    Yevgeny V.Yourkhov  <a007ntvi.ru>
    Security Administrator Team