Multiple Vulnerabilities in PWS 0.2.2

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Multiple Vulnerabilities in PWS 0.2.2
From: "Donato Ferrante" <fdonato@xxxxxxxxxxxxx>
Date: Thu, 11 Mar 2004 12:42:30 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

                           Donato Ferrante


Application:  Pegasi Web Server (PWS)
              http://pws.sourceforge.net

Version:      0.2.2

Bugs:         Multiple Vulnerabilities

Author:       Donato Ferrante
              e-mail: fdonato@xxxxxxxxxxxxx
              web:    www.autistici.org/fdonato


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

1. Description
2. The bugs
3. The code
4. The fix



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

----------------
1. Description:
----------------

Vendor's Description:

"Pegasi Web Server (PWS) is a multithreading Java Web server. It is
written by students at the PegasiLUG as a project for Networking."



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-------------
2. The bugs:
-------------

[1] directory traversal bug: the program doesn't check for malicious
    patterns like "/../", so an attacker is able to navigate through
    the system simply using a browser.


[2] cross site scripting bug: the user input strings are not filtered
    and they will appear in the returned page.



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-------------
3. The code:
-------------

To test the vulnerabilities:

[1]

http://[host]:8080/../../../../etc/passwd

or:

http://[host]:8080/../


[2]

http://[host]:8080/<script>alert("Test")</script>



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
4. The fix:
------------

No fix.
The email addresses provided on the official website seem don't work.


If you want, you can use my following little patch, that should fix
the bugs for this version of Pegasi Web Server:

        ...
        ..
        .

( line: 30 of FileFinder.java ) FileFinder(String httpURIPath)
{

/* start of patch for [1] */


boolean done = false;

for(int z = 0; z < httpURIPath.length()-1; z++){
  if( httpURIPath.charAt(z) == '.' && httpURIPath.charAt(z+1) == '.'){
       this.status = -1;
       done = true;
  }
}

if( done == true ) return;


/* end of patch for [1] */

        .
        ..
        ...

                          - - - - -
        ...
        ..
        .

( line: 233 of Connection.java )

/* start of patch for [2] */


     case -1:    /* nothing found */
     {
       Misc.putSysMessage(0,"Requested file was NOT found.");
       output.outputError(404, " ");
       //before "output.outputError(404,httpURI);"
       break;
     }

     
/* end of patch for [2] */

      .
      ..
      ...



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Follow-Ups:
- Re: Multiple Vulnerabilities in PWS 0.2.2
  - From: Jan De Luyck

Prev by Date: Re: Unreal engine updates and Battle Mages advisory
Next by Date: Re: Outlook mailto: URL argument injection vulnerability MS04-009 (Now CRITICAL) !
Previous by thread: Multiple vulnerabilities in Hushmail.com
Next by thread: Re: Multiple Vulnerabilities in PWS 0.2.2
Index(es):
- Date
- Thread