<<< Date Index >>>     <<< Thread Index >>>

Tiny Server 1.1 (1.0.5) Multiple Vulnerabilities



                           Donato Ferrante


Application:  Tiny Server 
              http://sourceforge.net/projects/tinyserver

Version:      1.1 (1.0.5)

Bugs:         Multiple Vulnerabilities

Author:       Donato Ferrante
              e-mail: fdonato@xxxxxxxxxxxxx
              web:    www.autistici.org/fdonato


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

1. Description
2. The bugs
3. The code
4. The fix


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

----------------
1. Description:
----------------

Vendor's Description:

"This is a very basic http server. This server can accept multiple
requests at once. The server is only 56 kb. The server has been
configured to accept a maximum of 100 connections.
As of now Tiny Server supports only the GET request."



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-------------
2. The bugs:
-------------

[1] directory traversal bug: the program does't make a good check on
    the user input string ( /../ ) so an attacker is able to see and
    download all the files on the remote system simply using his
    browser.

[2] denial of service bug: the program have no checks on the input
    strings received, so an attacker is able to crash the server
    simply sending a crafted string.

[3] cross site scripting bug: the program doesn't make a full check
    on the strings sent by the client, in fact the input strings are
    not filtered and they will appear in the returned page.



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-------------
3. The code:
-------------

The following are some examples to test the vulnerabilities:


[1]

http://[host]/../../windows/system.ini



[2]

GET /index.htm
( without specify HTTP/1.1 )

or simply:

index.htm
( without specify GET and HTTP/1.1 )

or:

GET /aaaaaa[ 260 of a ]aaa HTTP/1.1
 


[3]

http://[host]/<script>alert("Test")</script>



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
4. The fix:
------------

No fix.
The vendor has not answered to my signalations.



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx