Tiny Server 1.1 (1.0.5) Multiple Vulnerabilities
Donato Ferrante
Application: Tiny Server
http://sourceforge.net/projects/tinyserver
Version: 1.1 (1.0.5)
Bugs: Multiple Vulnerabilities
Author: Donato Ferrante
e-mail: fdonato@xxxxxxxxxxxxx
web: www.autistici.org/fdonato
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
1. Description
2. The bugs
3. The code
4. The fix
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
----------------
1. Description:
----------------
Vendor's Description:
"This is a very basic http server. This server can accept multiple
requests at once. The server is only 56 kb. The server has been
configured to accept a maximum of 100 connections.
As of now Tiny Server supports only the GET request."
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-------------
2. The bugs:
-------------
[1] directory traversal bug: the program does't make a good check on
the user input string ( /../ ) so an attacker is able to see and
download all the files on the remote system simply using his
browser.
[2] denial of service bug: the program have no checks on the input
strings received, so an attacker is able to crash the server
simply sending a crafted string.
[3] cross site scripting bug: the program doesn't make a full check
on the strings sent by the client, in fact the input strings are
not filtered and they will appear in the returned page.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-------------
3. The code:
-------------
The following are some examples to test the vulnerabilities:
[1]
http://[host]/../../windows/system.ini
[2]
GET /index.htm
( without specify HTTP/1.1 )
or simply:
index.htm
( without specify GET and HTTP/1.1 )
or:
GET /aaaaaa[ 260 of a ]aaa HTTP/1.1
[3]
http://[host]/<script>alert("Test")</script>
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
------------
4. The fix:
------------
No fix.
The vendor has not answered to my signalations.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx