<<< Date Index >>>     <<< Thread Index >>>

Re: [Tclhttpd-users] Re: TCLHttpd Server - Multiple Vulnerabilities

Here is the patch for the dirlist.tcl bug
Please note also that with this bug you can see a
directory listing, but you cannot fetch any files that
you might be able to see.  The server running at www.tcl.tk
has had this patch applied to it.

*** dirlist.tcl 4 Apr 2003 04:10:54 -0000       1.10
--- dirlist.tcl 24 Sep 2003 20:32:28 -0000
***************
*** 174,180 ****
      set path [file split $dir]

      # Filter pattern to avoid leaking path information
!     regsub -all {\.\./} $pattern {} pattern

      set list [glob -nocomplain -- [file join $dir $pattern]]
      if {[llength $path] > 1} {
--- 174,181 ----
      set path [file split $dir]

      # Filter pattern to avoid leaking path information
!     regsub -all {\.+/} $pattern {} pattern
!     set pattern [string trimleft $pattern /]

      set list [glob -nocomplain -- [file join $dir $pattern]]
      if {[llength $path] > 1} {

>>>Michael Schlenker said:
 > Phuong Nguyen wrote:
 > 
 > >Released Date 09/23/2003
 > >
 > >TITLE
 > >=====
 > >TCLHttpd 3.4.2 - Multiple Vulnerabilities
 > >
 > >DESCRIPTION
 > >===========
 > >"TclHttpd is used both as a general-purpose Web
 > >server, and as a framework for building server
 > >applications. It implements Tcl (http://www.tcl.tk),
 > >including the Tcl Resource Center and Scriptics'
 > >electronic commerce facilities. It is also
 > >built into several commercial applications such as
 > >license servers and mail spam filters. Instructions
 > >for setting up the TclHttpd on your platform are given
 > >towards the end of the chapter, on page See The
 > >TclHttpd Distribution. It works on Unix, Windows, and
 > >Macintosh. You can have the server up and running
 > >quickly."
 > >
 > >More information at
 > >http://www.tcl.tk/software/tclhttpd
 > >
 > One should add the sourceforge Project:
 > http://www.sourceforge.net/projects/tclhttpd
 > 
 > >
 > >PROBLEMS
 > >========
 > >Affected Version    : TCLHttpd 3.4.2 (latest) and
 > >probably older builds
 > >Tested Platform             : Linux(x86)
 > >
 > >Mutiple flaws in TCLHttpd server which open door for
 > >an attacker to browse any directories on the remote
 > >host, and to inject 
 > >
 > >malicious javascript/vbscript content to the user's
 > >browser under the TCLHttpd server context (Cross Site
 > >Scripting).
 > >
 > >DETAILS
 > >=======
 > >[Vulnerability #1] Arbitrary Directory Browsing
 > >
 > >When a user requests a directory on TCLHttpd server,
 > >httpdthread.tcl will start to look for various default
 > >index file names in that directory, if none can be
 > >found then it will pass the operation to dirlist.tcl
 > >script to do the "fancy" directory listing which
 > >provides users the ability to sort files by modify
 > >date, name, size or file's pattern. Dirlist.tcl script
 > >does filter inputs from the users in order to prevent
 > >directory traversal but it can be easily bypassed if
 > >an absolute path was entered. Directory listing is
 > >enabled by default.
 > >
 > >For example: Requesting
 > >http://abc.com/images/?pattern=/*&sort=name will
 > >return you a list of directory under /
 > >
 > Confirmed. This is similar to:
 > http://sourceforge.net/tracker/index.php?func=detail&aid=591103&group_id=128
     84&atid=112884
 > 
 > >[Vulnerability #2] Cross Site Scripting (XSS)
 > >
 > >TCLHttpd web server comes with various modules in
 > >order to increase the flexibility of the server, and
 > >/debug module is enable by default which allows you to
 > >download logging information, debug the Tcl part of
 > >the application without restarting the hosting
 > >application. 
 > >
 > >Many modules are suffered from the
 > >multiple Cross Site Scripting (XSS) vulnerabilities
 > >that potentially enable a malicious user to "inject"
 > >code into a user's session under TCLHttpd server
 > >context. I'm going to use the /debug module as an
 > >example.
 > >
 > >http://www.abc.com/debug/echo?name=<script>alert('hello');</script>
 > >http://www.abc.com/debug/dbg?host=<script>alert('hello');</script>
 > >http://www.abc.com/debug/showproc?proc=<script>alert('hello');</script>
 > >http://www.abc.com/debug/errorInfo?title=<script>alert('hello');</script>
 > >
 > >WORK AROUND
 > >===========
 > >You can eliminate the threats from these
 > >vulnerabilities by editing your httpdthread.tcl and
 > >comment out the directory listing option, also you
 > >should disable the following modules to prevent Cross
 > >Site Scripting: Status, Debug, Mail and Admin.
 > >  
 > >
 > 
 > Michael Schlenker
 > 
 > 
 > 
 > 
 > 
 > -------------------------------------------------------
 > This sf.net email is sponsored by:ThinkGeek
 > Welcome to geek heaven.
 > http://thinkgeek.com/sf
 > _______________________________________________
 > TclHttpd-users mailing list
 > TclHttpd-users@xxxxxxxxxxxxxxxxxxxxx
 > https://lists.sourceforge.net/lists/listinfo/tclhttpd-users

--
Brent Welch
Software Architect, Panasas Inc
Delivering the World's Most Scalable and Agile Storage Network
www.panasas.com
welch@xxxxxxxxxxx