OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Tiny Server 1.1 (1.0.5) Multiple Vulnerabilities

From: Donato Ferrante (fdonatoautistici.org)
Date: Sat Jan 24 2004 - 07:52:09 CST


                           Donato Ferrante

Application: Tiny Server
              http://sourceforge.net/projects/tinyserver

Version: 1.1 (1.0.5)

Bugs: Multiple Vulnerabilities

Author: Donato Ferrante
              e-mail: fdonatoautistici.org
              web: www.autistici.org/fdonato

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

1. Description
2. The bugs
3. The code
4. The fix

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

----------------
1. Description:
----------------

Vendor's Description:

"This is a very basic http server. This server can accept multiple
requests at once. The server is only 56 kb. The server has been
configured to accept a maximum of 100 connections.
As of now Tiny Server supports only the GET request."

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-------------
2. The bugs:
-------------

[1] directory traversal bug: the program does't make a good check on
    the user input string ( /../ ) so an attacker is able to see and
    download all the files on the remote system simply using his
    browser.

[2] denial of service bug: the program have no checks on the input
    strings received, so an attacker is able to crash the server
    simply sending a crafted string.

[3] cross site scripting bug: the program doesn't make a full check
    on the strings sent by the client, in fact the input strings are
    not filtered and they will appear in the returned page.

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-------------
3. The code:
-------------

The following are some examples to test the vulnerabilities:

[1]

http://[host]/../../windows/system.ini

[2]

GET /index.htm
( without specify HTTP/1.1 )

or simply:

index.htm
( without specify GET and HTTP/1.1 )

or:

GET /aaaaaa[ 260 of a ]aaa HTTP/1.1
 

[3]

http://[host]/<script>alert("Test")</script>

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
4. The fix:
------------

No fix.
The vendor has not answered to my signalations.

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx