En Wed, Sep 25, 2002 at 09:10:45AM -0000, DownBload escribió sobre IIL Advisory: Reverse traversal vulnerability in Monkey (0.1.4) HTTP server: > > > > [ Illegal Instruction Labs Advisory ] > [-------------------------------------------------------------------------] > Advisory name: Reverse traversal vulnerability in Monkey (0.1.4) HTTP > server > Advisory number: 12 > Application: Monkey (0.1.4) HTTP server > Application author: Eduardo Silva (EdsipeR) > Author e-mail: edsiper@linux-chile.org > Monkey Project: http://monkeyd.sourceforge.net > Date: 06.09.2002 > Impact: Attacker can read files out of SERVER_ROOT directory > > ... > ======[ Problem > Monkey doesn't check HTTP request for ../ string, and because of that, > attacker can view any file out of SERVER_ROOT directory which Monkey can > read (if Monkey is running under root account, attacker can read any file > on that machine). > There is still one thing which will make attack a little more "complicate": > > ... > > Translated to (poor:) english: > If our request is / or second char of our request is . , than path will be > set to SERVER_ROOT, and in that case, we can't go out of SERVER_ROOT > directory. > > Previous "if" will prevent simple reverse traversal attack like this one: > ---cut here--- > GET /../../../../../../../../../etc/passwd HTTP/1.0 > ---cut here--- > > But can't prevent this reverse traversal attack: > ---cut here--- > GET //../../../../../../../../../etc/passwd HTTP/1.0 > ---cut here--- > Hi: This bug was reported in December 2001 and corrected in following versions. Anyway recently was released Monkey 0.5.0. Nos vemos Daniel -- Daniel R. Ome | Adán comió la manzana, y todavía Jujuy - R.A. | nos duelen las muelas. Linux User 165078 | Proverbio húngaro.
This archive was generated by hypermail 2b30 : Fri Sep 27 2002 - 08:28:06 PDT