OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Sergey Nenashev (alfNTVI.RU)
Date: Fri Feb 02 2001 - 06:30:12 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hello!

    We have found a bug in the GoAhead WebServer, v.2.0 and v.2.1.

    Attacker can get any file from the drive, where web-server was installed.

    try follow request

    http://www.somehost.com/..\..\..\..\..\..\autoexec.bat

    This vulnerability may allow an attacker to execute code with the
    privileges of the GoAhead ( Administrator? or root? )

    http://www.somehost.com/cgi-bin/..\..\..\..\..\..\winnt\system32\cmd.exe?/c+
    dir+c:\

    Patch for this vulnerability:

    in file: url.c
    in function websUrlParse(...)

    int websUrlParse(char_t *url, char_t **pbuf, char_t **phost, char_t **ppath,
            char_t **pport, char_t **pquery, char_t **pproto, char_t **ptag,
            char_t **pext)
    {
            char_t *tok, *cp, *host, *path, *port, *proto, *tag, *query, *ext, *slash;
            char_t *last_delim, *hostbuf, *portbuf, *buf;
            int c, len, ulen;

            a_assert(url);
            a_assert(pbuf);

            ulen = gstrlen(url);

    /*
     * Deny directory traversal vulnerability
     */

            while((slash = strchr(url, '\\')) != NULL) {
                            *slash = '/';
            }

    /*
     * We allocate enough to store separate hostname and port number fields.
     * As there are 3 strings in the one buffer, we need room for 3 null chars.
     * We allocate MAX_PORT_LEN char_t's for the port number.
     */

    --
    Sergey Nenashev <alfntvi.ru>
    Yevgeny V.Yourkhov  <a007ntvi.ru>
    Security Administrator Team