directory traversal in RaidenHTTPD 1.1.27
Donato Ferrante
Application: RaidenHTTPD
http://www.raidenhttpd.com/
Version: 1.1.27
Bug: directory traversal
Date: 05-Feb-2005
Author: Donato Ferrante
e-mail: fdonato@xxxxxxxxxxxxx
web: www.autistici.org/fdonato
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
1. Description
2. The bug
3. The code
4. The fix
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
----------------
1. Description:
----------------
Vendor's Description:
"RaidenHTTPD is a full featured web server software for Windows 98/Me/
2000/XP/2003 platforms."
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
------------
2. The bug:
------------
The program by default has some checks to avoid malicious patterns
like "/../" into http requests, but the program doesn't well manage
the initial "/" into requests. In fact if you send a request like:
> GET /somefile HTTP/1.1
the webserver will return the requested file if available in the
DocumentRoot directory.
But if you send a request like:
> GET somefile HTTP/1.1
the webserver will return the requested file if available in the
disk partition where the httpd is installed.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-------------
3. The code:
-------------
To test the vulnerability, send a raw http request to the server like:
GET windows/system.ini HTTP/1.1
Host: localhost
this will display Windows' system.ini, if the http server is installed
on the same partition of Windows.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
------------
4. The fix:
------------
Vendor was contacted.
Bug fixed in the version 1.1.31.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx