SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Web Server/CGI)  >  SWServer Vendors:  Lee, Trevor
SWServer Java Web Server Input Validation Hole Lets Remote Users View Files on the System Located Outside of the Document Directory
SecurityTracker Alert ID:  1005154
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 29 2002
Impact:  Disclosure of system information, Disclosure of user information
Fix Available:  Yes   Exploit Included:  Yes   Vendor Confirmed:  Yes  
Version(s): 2.2 and prior versions
Description:  An input validation vulnerability was reported in the SWServer Java-based web server. A remote user can view files on the system that are readable by the web server process.

PivX warned of a directory traversal bug. A remote user can supply HTTP GET requests that contain the '\' (%5c) and '/' (%2f) characters to traverse the directory and view files that are located outside of the document directory. Some demonstration exploit URLs are provided:

http://host/%2f%2e%2e%2f
http://host/%5c%2e%2e%5c
http://host/..\
http://host/../
Impact:  A remote user can view files on the system that are readable by the web server process.
Solution:  The vendor has released a fixed version (2.3), available at:

http://www.geocities.com/SiliconValley/Office/4954/download/swserver.html
Vendor URL:  www.geocities.com/tlhome2000/ (Links to External Site)
Cause:  Access control error, Input validation error
Underlying OS:  Java, Linux (Any), UNIX (Any), Windows (Any)
Reported By:  Bugtest <aluigi@pivx.com>
Message History:   None.

 Source Message Contents
Date:  Wed, 28 Aug 2002 19:46:58 +0000
From:  Bugtest <aluigi@pivx.com>
Subject:  SWServer 2.2 directory traversal bug

 


######################################################################

Auriemma Luigi, PivX security advisory 

Application: SWServer 
             (http://www.geocities.com/tlhome2000/swserver.html)
Version:     2.2 and previous
Bug:         Directory traversal bug
Risk (high): An attacker can view and "surf" in the directories of the
             remote server and view all the files in it.
Author:      Auriemma Luigi, Security Researcher, PivX Solutions, LLC
             e-mail: aluigi@pivx.com

######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix
5) Philosophy

______________________________________________________________________

1) Introduction

Swserver is a small free webserver totally written in Java.
It can be considered just like a tiny webserver for tests or for be
used by single users that don't want to lost their time in
configuration files.

______________________________________________________________________

2) Bug

The bug is a directory traversal bug that let the attacker to use the
remote server like a new read-only drive, all readable with a browser.

The bad characters that can be used for exploit the vulnerability are
'\' (%5c) and '/' (%2f).

______________________________________________________________________

3) The Code

I suggest to try only these links and then follow the directories with
the browser:

http://host/%2f%2e%2e%2f
http://host/%5c%2e%2e%5c
http://host/..\
http://host/../

______________________________________________________________________

4) Fix

SWserver 2.3 from its homepage:

http://www.geocities.com/tlhome2000/swserver.html

______________________________________________________________________

5) Philosophy

I'm really hopeful about the FULL-DISCLOSURE policy, because with it
"everyone" can know the real effects of an attack, the real danger of
a bug, someone can learn a bit of creative programming (I have learned
a bit of interesting C from the source code of some published
exploits under this policy) and it's useful for all the people that 
are hopeful in this type of disclosure.
No secrets!

______________________________________________________________________

About PivX Solutions
PivX Solutions, is a premier network security consultancy offering a
myriad of network security services to our clients, the most notable
being our proprietary Risk and Vulnerability Assessment (RAVA).
Dedicated PivX founders have also developed the patented Invisiwall
network security device which offers the most comprehensive and secure
intrusion detection system available.

For more information go to http://www.PivX.com


Any type of feedback is really welcome!

Byez



-- 
PivX Security Researcher


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC