OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Matt Moore (matt_at_westpoint.ltd.uk)
Date: Wed Jul 10 2002 - 06:00:15 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Westpoint Security Advisory

    Title: GoAhead Web Server Directory Traversal + Cross Site Scripting
    Risk Rating: Medium
    Software: GoAhead Web Server v2.1
    Platforms: Windows NT/98/95/CE
                Embedded Linux
                Linux
                QNX
                Novell Netware + others

    Vendor URL: www.goahead.com/webserver/webserver.htm
    Author: Matt Moore <mattwestpoint.ltd.uk>
    Date: 10th July 2002
    Advisory ID#: wp-02-0001

    Overview:
    =========
    GoAhead is an open source 'embedded' web server. Apparently used in various
    networking devices from several blue chip companies.

    ( http://www.goahead.com/webserver/customers.htm )

    Details:
    ========

    Cross Site Scripting via 404 messages.
    --------------------------------------

    GoAhead quotes back the requested URL when responding with a 404. Hence it
    is possible to perform cross-site scripting attacks, e.g:

    GoAhead-server/SCRIPTalert(document.domain)/SCRIPT

    Read arbitrary files from the server running GoAhead(Directory Traversal)
    -------------------------------------------------------------------------

    GoAhead is vulnerable to a directory traversal bug. A request such as

    GoAhead-server/../../../../../../../ results in an error message
    'Cannot open URL'.

    However, by encoding the '/' character, it is possible to break out of the
    web root and read arbitrary files from the server.
    Hence a request like:

    GoAhead-server/..%5C..%5C..%5C..%5C..%5C..%5C/winnt/win.ini returns the
    contents of the win.ini file.

    Vendor Response:
    ================
    I was unable to obtain any response from GoAhead technical support
    regarding
    the identified issues.

    Patch Information:
    ==================
    No vendor response, so unsure if fixed version available.

    Security History:
    =================

    http://www.securiteam.com/securitynews/5QP010U3FS.html - Directory
    Traversal
    http://www.securiteam.com/securitynews/5IP0E2K41I.html - Denial of Service
    http://www.securiteam.com/windowsntfocus/5LP040A3RS.html - Denial of
    Service

    This advisory is available online at:

    http://www.westpoint.ltd.uk/advisories/wp-02-0001.txt