directory traversal in PWebServer 0.3.3
Donato Ferrante
Application: PWebServer
http://sourceforge.net/projects/pwebserver/
Version: 0.3.3
Bug: directory traversal bug
Author: Donato Ferrante
e-mail: fdonato@xxxxxxxxxxxxx
web: www.autistici.org/fdonato
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
1. Description
2. The bug
3. The code
4. The fix
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
----------------
1. Description:
----------------
Vendor's Description:
"A simple Java multi-threaded Web Server that supports HTTP/1.0
protocol."
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
------------
2. The bug:
------------
The program doesn't check for malicious patterns like "/../", so an
attacker is able to see and download all the files on the remote
system simply using a browser.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-------------
3. The code:
-------------
To test the vulnerability:
http://[host]:6789/../someFile
or:
http://[host]:6789/../../../../etc/passwd
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
------------
4. The fix:
------------
Bug fixed in the version 0.3.4.
If you want, you can use my following little patch, that should fix
the bug for this version of PWebServer:
..
.
.
( line: 99 )
fileName = tokenizedLine.nextToken(); // get the relative file name
/* start of patch */
boolean check = false;
for(int t = 0; t < fileName.length()-1 && check == false; t++){
if(fileName.charAt(t) == '.' && fileName.charAt(t+1) == '.')
check = true;
}
if(check == true)
fileName = "";
/* end of patch */
/* empty filename */
if(fileName.equals("") | fileName.equals("/"))
{
.
.
..
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx