Hello!

We have found a bug in the GoAhead WebServer, v.2.0 and v.2.1.

Attacker can get any file from the drive, where web-server was installed.

try follow request

http://www.somehost.com/..\..\..\..\..\..\autoexec.bat

This vulnerability may allow an attacker to execute code with the
privileges of the GoAhead ( Administrator? or root? )

http://www.somehost.com/cgi-bin/..\..\..\..\..\..\winnt\system32\cmd.exe?/c+
dir+c:\

Patch for this vulnerability:

in file: url.c
in function websUrlParse(...)

int websUrlParse(char_t *url, char_t **pbuf, char_t **phost, char_t **ppath,
        char_t **pport, char_t **pquery, char_t **pproto, char_t **ptag,
        char_t **pext)
{
        char_t *tok, *cp, *host, *path, *port, *proto, *tag, *query, *ext, *slash;
        char_t *last_delim, *hostbuf, *portbuf, *buf;
        int c, len, ulen;

        a_assert(url);
        a_assert(pbuf);

        ulen = gstrlen(url);

/*
 * Deny directory traversal vulnerability
 */

        while((slash = strchr(url, '\\')) != NULL) {
                        *slash = '/';
        }

/*
 * We allocate enough to store separate hostname and port number fields.
 * As there are 3 strings in the one buffer, we need room for 3 null chars.
 * We allocate MAX_PORT_LEN char_t's for the port number.
 */

--
Sergey Nenashev <alfntvi.ru>
Yevgeny V.Yourkhov  <a007ntvi.ru>
Security Administrator Team

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]