NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 2004-03

directory traversal in GWeb 0.6

From: Donato Ferrante (fdonatoautistici.org)
Date: Wed Mar 03 2004 - 06:42:13 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Donato Ferrante

Application: GWeb HTTP Server
http://freshmeat.net/projects/gweb/

Version: 0.6

Bug: directory traversal bug

Author: Donato Ferrante
e-mail: fdonatoautistici.org
web: www.autistici.org/fdonato

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

1. Description
2. The bug
3. The code
4. The Fix

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

----------------
1. Description:
----------------

Vendor's Description:

"GWeb is a project to develop an HTTP server using Java, making it
small and portable. It will run on any system running the Java
Runtime Environment."

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
2. The bug:
------------

The program doesn't check for malicious patterns like "/../", so an
attacker is able to see and download all the files on the remote
system simply using a browser.

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-------------
3. The code:
-------------

To test the vulnerability:

http://[host]/../../../../../../windows/system.ini

or:

http://[host]/../someFile

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
4. The Fix:
------------

No fix.
The vendor has not answered to my signalations.

If you want, you can use my following little patch, that should fix
the bug for this version of GWeb HTTP Server:

        ...
        ..
        .

(line: 136) String dir="www"+System.getProperty("file.separator");

/* start of patch */

int f_len = f.length();
boolean check = false;

for(int bi = 0; bi < f.length()-2 && check == false; bi++){

                  if(
                     (f.charAt(bi) == '\"') || (f.charAt(bi)=='/') &&
                     (f.charAt(bi+1)=='.') && (f.charAt(bi+2) == '.')

){

                       f_len = 0;
                       check = true;
                     }

                    else if(
                            (f.charAt(bi)=='.') &&
                            (f.charAt(bi+1) == '.')

){

                             f_len = 0;
                             check = true;
                          }

}

if(f_len <= 2) // before "if(f.length()==0)"

/* end of patch */

{
file=dir+"index.html";

}

        .
        ..
        ...

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]