directory traversal in xweb 1.0

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: directory traversal in xweb 1.0
From: "Donato Ferrante" <fdonato@xxxxxxxxxxxxx>
Date: Mon, 22 Mar 2004 12:51:48 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

                           Donato Ferrante


Application:  xweb
              http://in.geocities.com/shamit_bagchi

Version:      1.0

Bug:          directory traversal bug

Author:       Donato Ferrante
              e-mail: fdonato@xxxxxxxxxxxxx
              web:    www.autistici.org/fdonato


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

1. Description
2. The bug
3. The code
4. The fix



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

----------------
1. Description:
----------------

xweb is a free HTTP server, for Linux based systems.



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
2. The bug:
------------

The program doesn't check for malicious patterns like "/../", so an
attacker is able to see and download all the files on the remote
system simply using a browser.



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-------------
3. The code:
-------------

To test the vulnerability:

http://[host]/../../../../etc/passwd

or:

http://[host]/../someFile



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
4. The fix:
------------

Vendor was contacted.
Bug will be probably fixed in the next version of xweb.



If you want, you can use my following little patch, that should fix
the bug for this version of xweb:

        .
        ..
        ...

(line: 233 of server.c) pstr[i]='\0';

/* start of patch */


int d = 0,
    found = 1;

for( ; d < strlen(secondstr)-1 && found == 1; d++ ) {
            if( (secondstr[d] == '.') && (secondstr[d+1] == '.') )
                 found = 0;
}

if(found == 0)
     strcpy(secondstr, "/");


/* end of patch */

        ...
        ..
        .



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Prev by Date: Invision Gallery SQL Injection Vulnerabilities
Next by Date: Vulnerabilities in Member Management System 2.1
Previous by thread: Invision Gallery SQL Injection Vulnerabilities
Next by thread: Vulnerabilities in Member Management System 2.1
Index(es):
- Date
- Thread