Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
GoAhead Web Server Input Validation Flaw Discloses Files in Restricted Directories to Remote Users
|
|
SecurityTracker Alert ID: 1008760
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jan 19 2004
|
Impact: Disclosure of user information
|
Exploit Included: Yes
|
Version(s): 2.1.8
|
Description: An input validation vulnerability was reported in the GoAhead Web Server. A remote user can access certain restricted directories, such as the 'cgi-bin' directory.
Luigi Auriemma reported that a remote user can supply an HTTP GET request with extraneous or missing backslashes to obtain files
in restricted directories:
GET file HTTP/1.0
GET \file HTTP/1.0
GET /\\%5cfile HTTP/1.0
It is reported that the websUrlHandlerDefine()
function does not properly determine directory access restrictions when these characters are supplied.
Some demonstration exploit
URLs are provided:
http://[target]/\cgi-bin/cgitest.c
http://[target]/\\\cgi-bin/cgitest.c
http://[target]/%5ccgi-bin/cgitest.c
|
Impact: A remote user can access files located in restricted directories, such as 'cgi-bin'.
|
Solution: No vendor solution was available at the time of this entry.
The author of the report has provided an unofficial patch for the 'file handler.c' file [see the Source Message for the patch].
|
Vendor URL: www.goahead.com/webserver/webserver.htm (Links to External Site)
|
Cause: Access control error, Input validation error
|
Underlying OS: Windows (Any)
|
Reported By: Luigi Auriemma <aluigi@altervista.org>
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 19 Jan 2004 18:46:15 +0000
From: Luigi Auriemma <aluigi@altervista.org>
Subject: Directories management bypassing in Goahead webserver <= 2.1.8
|
#######################################################################
Luigi Auriemma
Application: Goahead webserver
http://www.goahead.com/webserver/webserver.htm
Versions: <= 2.1.8
Platforms: multiplatform
Bug: bypassing of special directories management with the
effect of downloading cgi-bin files and more
Risk: medium/high
Exploitation: remote with browser
Date: 19 Jan 2004
Author: Luigi Auriemma
e-mail: aluigi@altervista.org
web: http://aluigi.altervista.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Goahead webserver is an embedded OpenSource server that can be build on
a lot of systems (CE, Ecos, GNU/Linux, Lynx, MacOS, NW, QNX4, VXWORKS,
Win32 and others).
It is supported by a lot of companies that use it for their projects
and it is also used like "base" for other webservers, furthermore it
has been developed for be very tiny and to run on embedded systems.
#######################################################################
======
2) Bug
======
Goahead webserver has an internal problem that lets it to accept also
HTTP requests that don't start with the slash or that contain
backslashes (both \ and %5c) after or at the same place of the initial
slash.
So we have that a right request as "GET /file HTTP/1.0" is accepted
but is also accepted a bad request as "GET file HTTP/1.0" or
"GET \file HTTP/1.0", "GET /\\%5cfile HTTP/1.0" and so on.
This bug leads to the bypassing of the management of the "special"
directories (as cgi-bin) and to their usage as normal "unmanaged"
directories.
In fact the server uses a function called websUrlHandlerDefine()
letting the admin to specify how to manage each directory he wants.
For example by default we have
websUrlHandlerDefine(T("/goform"), NULL, 0, websFormHandler, 0);
used to execute the built-in functions written by the same admin or
websUrlHandlerDefine(T("/cgi-bin"), NULL, 0, websCgiHandler, 0);
used just to manage the cgi-bin directory.
So if an attacker uses a HTTP request as one of those seen previously
he will easily bypass the management decided by the admin for a
specific directory (function websUrlHandlerRequest()).
The most common and useful effect of this bug is the download and the
viewing of any file in the cgi-bin directory.
#######################################################################
===========
3) The Code
===========
Some examples for reading the files in the cgi-bin directory:
http://server/\cgi-bin/cgitest.c
http://server/\\\cgi-bin/cgitest.c
http://server/%5ccgi-bin/cgitest.c
"GET cgi-bin/cgitest.c HTTP/1.0"
"GET \cgi-bin/cgitest.c HTTP/1.0"
"GET %5ccgi-bin/cgitest.c HTTP/1.0"
#######################################################################
======
4) Fix
======
No official fix.
A simple patch can be the adding of the following 3 lines of code at
about the line 265 of the file handler.c in the function
"int websUrlHandlerRequest(webs_t wp)":
if((wp->path[0] != '/') || strchr(wp->path, '\\')) {
websError(wp, 400, T("Bad request"));
return(0);
}
#######################################################################
---
Luigi Auriemma
http://aluigi.altervista.org
|
|
Go to the Top of This SecurityTracker Archive Page
|
