SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Web Server/CGI)  >  TclHttpd Vendors:  tclhttpd.sourceforge.net
TclHttpd 'dirlist.tcl' Discloses Directory Contents to Remote Users and Permits Remote Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1007797
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 24 2003
Impact:  Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 3.4.2
Description:  Phuong Nguyen reported several vulnerabilities in TclHttpd. A remote user can view directory listings on the target system. A remote user can also conduct cross-site scripting attacks against web server users.

It is reported that the 'dirlist.tcl' script does not properly validate user-supplied paths when performing directory listings. A remote user can submit the following type of request to view a listing of the root directory:

http://[target]/images/?pattern=/*&sort=name

It is also reported that the Debug module (enabled by default) and other modules (including the Status, Mail, and Admin modules) do not filter HTML code from user-supplied input when displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the vulnerable TclHttpd web server software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Some demonstration exploit URLs are provided:

http://[target]/debug/echo?name=<script>alert('hello');</script>
http://[target]/debug/dbg?host=<script>alert('hello');</scri pt>
http://[target]/debug/showproc?proc=<script>alert('hello');</script>
http://[target]/debug/errorInfo?title=<script>alert('hello');</script>

The vendor has reportedly been notified.
Impact:  A remote user can view specified directory listings on the target system.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the TclHttpd web server software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:  No solution was available at the time of this entry.

The author of the report indicates that you can edit the 'httpdthread.tcl' file to comment out the directory listing option to avoid the directory traversal flaw and you can disable the Status, Debug, Mail and Admin modules to avoid the cross-site scripting vulnerability.
Vendor URL:  www.tcl.tk/software/tclhttpd/ (Links to External Site)
Cause:  Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any)
Underlying OS Comments:  Confirmed on Linux
Reported By:  Phuong Nguyen <dphuong@yahoo.com>
Message History:   None.

 Source Message Contents
Date:  Wed, 24 Sep 2003 06:23:29 -0700 (PDT)
From:  Phuong Nguyen <dphuong@yahoo.com>
Subject:  TCLHttpd Server - Multiple Vulnerabilities

 

Released Date 09/23/2003

TITLE
=====
TCLHttpd 3.4.2 - Multiple Vulnerabilities

DESCRIPTION
===========
"TclHttpd is used both as a general-purpose Web
server, and as a framework for building server
applications. It implements Tcl (http://www.tcl.tk),
including the Tcl Resource Center and Scriptics'
electronic commerce facilities. It is also
built into several commercial applications such as
license servers and mail spam filters. Instructions
for setting up the TclHttpd on your platform are given
towards the end of the chapter, on page See The
TclHttpd Distribution. It works on Unix, Windows, and
Macintosh. You can have the server up and running
quickly."

More information at
http://www.tcl.tk/software/tclhttpd

PROBLEMS
========
Affected Version	: TCLHttpd 3.4.2 (latest) and
probably older builds
Tested Platform		: Linux(x86)

Mutiple flaws in TCLHttpd server which open door for
an attacker to browse any directories on the remote
host, and to inject

malicious javascript/vbscript content to the user's
browser under the TCLHttpd server context (Cross Site
Scripting).

DETAILS
=======
[Vulnerability #1] Arbitrary Directory Browsing

When a user requests a directory on TCLHttpd server,
httpdthread.tcl will start to look for various default
index file names in that directory, if none can be
found then it will pass the operation to dirlist.tcl
script to do the "fancy" directory listing which
provides users the ability to sort files by modify
date, name, size or file's pattern. Dirlist.tcl script
does filter inputs from the users in order to prevent
directory traversal but it can be easily bypassed if
an absolute path was entered. Directory listing is
enabled by default.

For example: Requesting
http://abc.com/images/?pattern=/*&sort=name will
return you a list of directory under /

[Vulnerability #2] Cross Site Scripting (XSS)

TCLHttpd web server comes with various modules in
order to increase the flexibility of the server, and
/debug module is enable by default which allows you to
download logging information, debug the Tcl part of
the application without restarting the hosting
application. Many modules are suffered from the
multiple Cross Site Scripting (XSS) vulnerabilities
that potentially enable a malicious user to "inject"
code into a user's session under TCLHttpd server
context. I'm going to use the /debug module as an
example.

http://www.abc.com/debug/echo?name=<script>alert('hello');</script>
http://www.abc.com/debug/dbg?host=<script>alert('hello');</script>
http://www.abc.com/debug/showproc?proc=<script>alert('hello');</script>
http://www.abc.com/debug/errorInfo?title=<script>alert('hello');</script>

WORK AROUND
===========
You can eliminate the threats from these
vulnerabilities by editing your httpdthread.tcl and
comment out the directory listing option, also you
should disable the following modules to prevent Cross
Site Scripting: Status, Debug, Mail and Admin.

Notes: Disabling some modules in your TCLhttpd
configuration might decrease the flexibility of your
server.

VENDOR STATUS
=============
Vendor has been notified.

Phuong Nguyen

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC