Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Directory traversal flaw in shttp

from [digineo Advisories] Network Security [Permanent Link]
Subject: Directory traversal flaw in shttp
Date: Thu, 25 Oct 2007 18:46:26 +0100 
The most recent version of this advisory (including any updates) is
available at:
http://www.digineo.co.uk/shttp_directory_traversal

Directory Traversal Flaw in shttp
---------------------------------
Affected product: shttp
Product vendor: Vito Caputo - (http://serverkit.org/modules/contrib/shttp/)
Affected version: 0.0.4

Product description
-------------------
Shttp is a partial implementation of HTTP/1.1. It does not strictly follow
the RFC but works well enough to serve static content for
personal/experimental/educational use. The module consists of just over 1000
LoC making it an excellent example of what can be done with ServerKit with
little effort and a great learning tool for those getting started with
ServerKit programming.


Problem analysis
----------------
While examining the source code of shttp.c, it was noted that the
safe_path(char *path) function does not entirely prevent directory traversal
attacks. The affected function analyses the supplied URI and returns a value
indicating the folder distance from the document root. Positive return
values indicate child folders, negative values indicate parent folders and
hence directory traversal attempts. However, the function does not trap
directory traversal attacks where the target file is deeper within the
folder hierarchy than the web document root.


Problem example
---------------
Assuming that the product has been installed with the default document root
(/var/www), the following demonstrates the problem:

HEAD /../../etc/passwd HTTP/1.0

HTTP/1.1 400 Bad Request
Content-Type: text/html
Server: Shttp/ServerKit
Date: Thu, 25 Oct 2007 16:31:30 GMT
Connection: close


HEAD /../../var/log/messages HTTP/1.0

HTTP/1.1 200 OK
Content-Length: 178455
Content-Type: text/plain
Last-Modified: Thu, 25 Oct 2007 16:36:39 GMT
Server: Shttp/ServerKit
Date: Thu, 25 Oct 2007 16:42:32 GMT
Connection: close


Rectification
-------------
This issue has been addressed and rectified in version 0.0.5 of shttp,
available from http://serverkit.org/modules/contrib/shttp/.
digineo thanks Vito Caputo for his assistance and rapid response with
regards to this issue.


Discovery timeline
------------------
20071024 - Issue discovered
20071025 - Vendor notified
20071025 - Vendor response
20071025 - Update released
20071026 - Advisory published


-- 
Pete Foster
digineo Limited
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Directory traversal flaw in shttp, digineo Advisories <=
Previous by Date:  i-Gallery 3.4 bug crack password!, hackerbinhphuoc
Next by Date:  usd250 helpdesk XSS vulnerabily., Joseph . giron13
Previous by Thread:  i-Gallery 3.4 bug crack password!, hackerbinhphuoc
Next by Thread:  usd250 helpdesk XSS vulnerabily., Joseph . giron13
Indexes:  [Date] [Thread] [Top] [All Lists]