Securax / Hexyn Security Advisory #18 - Savant WWW Server is an HTTP server for Windows 9x/NT. A bug allows any user to change to any directory, and in most cases, execute MS-DOS commands.
6f737629eeb7c998b7477e842ffe7e837b20a277e54d231e927e0c33aa58dc9bHexyn / Securax Advisory #18 - Savant WWW Unicode Directory Traversal
Topic: Savant WWW Unicode Directory Traversal
Announced: 2001-02-17
Affects: Savant WWW Unicode version 2.1
DISCLAIMER:
***********
THE ENTIRE ADVISORY HAS BEEN BASED UPON TRIAL AND ERROR RESULTS.
THEREFORE WE CANNOT ENSURE YOU THE INFORMATION BELOW IS 100% CORRECT.
THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT PRIOR NOTICE.
I. Problem Description
**********************
Savant WWW Server is an HTTP server for Windows 9x/NT. A bug allows any
user to change to any directory, and in most cases, execute MS-DOS
commands.
II. Impact
**************
Savant filters "/.." out of the string, but forgets "%2f..".
Example:
--------
https://www.testserver.com/%2f..%2f..%2f../
HTTP Directory of //../../../
<directory listing of c:\>
Notes:
- When the user does not know a directory which allows listings, one
cannot get a listing, but one can still download know files.
- When the user know a directory which allows CGI-execution, one can
execute MS-DOS commands using:
https://www.test_server.com/cgi-bin/%2f..%2f..%2f../cmd.exe?+/c+dir
III. Solution
*************
At this time, no patch is available yet.
IV. Credits
***********
Bug discovered by t-Omicr0n <omicr0n@themail.com>
Greets to: f0bic, The Incubus, R00T-dude, cicer0, vorlon, sentinel,
oPr, Reggie, F_F, Shaolin_p, Segfau|t, NecrOmaN, Zym0t1c, l0r3,
Preat0r, T0SH, zeroX, AreS, tips, Lacrima, GigaByte and everyone
at #securax@irc.hexyn.be
-- t-Omicr0n @ https://t-Omicr0n.hexyn.be
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed