<<< Date Index >>>     <<< Thread Index >>>

directory traversal in GWeb 0.6



                           Donato Ferrante


Application:  GWeb HTTP Server
              http://freshmeat.net/projects/gweb/

Version:      0.6

Bug:          directory traversal bug

Author:       Donato Ferrante
              e-mail: fdonato@xxxxxxxxxxxxx
              web:    www.autistici.org/fdonato


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

1. Description
2. The bug
3. The code
4. The Fix



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

----------------
1. Description:
----------------

Vendor's Description:

"GWeb is a project to develop an HTTP server using Java, making it
small and portable. It will run on any system running the Java
Runtime Environment."


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
2. The bug:
------------

The program doesn't check for malicious patterns like "/../", so an
attacker is able to see and download all the files on the remote
system simply using a browser.



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-------------
3. The code:
-------------

To test the vulnerability:

http://[host]/../../../../../../windows/system.ini

or:

http://[host]/../someFile



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
4. The Fix:
------------

No fix.
The vendor has not answered to my signalations.

If you want, you can use my following little patch, that should fix
the bug for this version of GWeb HTTP Server:

        ...
        ..
        .

(line: 136) String dir="www"+System.getProperty("file.separator");

/* start of patch */

        int f_len = f.length();
        boolean check = false;

        for(int bi = 0; bi < f.length()-2 && check == false; bi++){

                  if(
                     (f.charAt(bi) == '\"') || (f.charAt(bi)=='/') &&
                     (f.charAt(bi+1)=='.') && (f.charAt(bi+2) == '.')

                    ){

                       f_len = 0;
                       check = true;
                     }
                    
                    else if(
                            (f.charAt(bi)=='.') && 
                            (f.charAt(bi+1) == '.')

                         ){

                             f_len = 0;
                             check = true;
                          }

        }

        if(f_len <= 2) // before "if(f.length()==0)"

/*  end of patch */

        {
            file=dir+"index.html";

        }

        .
        ..
        ...



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx