<<< Date Index >>>     <<< Thread Index >>>

directory traversal in xweb 1.0



                           Donato Ferrante


Application:  xweb
              http://in.geocities.com/shamit_bagchi

Version:      1.0

Bug:          directory traversal bug

Author:       Donato Ferrante
              e-mail: fdonato@xxxxxxxxxxxxx
              web:    www.autistici.org/fdonato


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

1. Description
2. The bug
3. The code
4. The fix



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

----------------
1. Description:
----------------

xweb is a free HTTP server, for Linux based systems.



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
2. The bug:
------------

The program doesn't check for malicious patterns like "/../", so an
attacker is able to see and download all the files on the remote
system simply using a browser.



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-------------
3. The code:
-------------

To test the vulnerability:

http://[host]/../../../../etc/passwd

or:

http://[host]/../someFile



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
4. The fix:
------------

Vendor was contacted.
Bug will be probably fixed in the next version of xweb.



If you want, you can use my following little patch, that should fix
the bug for this version of xweb:

        .
        ..
        ...

(line: 233 of server.c) pstr[i]='\0';

/* start of patch */


int d = 0,
    found = 1;

for( ; d < strlen(secondstr)-1 && found == 1; d++ ) {
            if( (secondstr[d] == '.') && (secondstr[d+1] == '.') )
                 found = 0;
}

if(found == 0)
     strcpy(secondstr, "/");


/* end of patch */

        ...
        ..
        .



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx