exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

goahead2.txt

goahead2.txt
Posted Jan 20, 2004
Authored by Luigi Auriemma | Site aluigi.altervista.org

The Goahead webserver, version 2.1.8 and below, is an embedded webserver used by many products. The server has an internal problem where it will accept improper HTTP requests that allow a remote attacker to view source for CGI related files.

tags | exploit, remote, web, cgi
SHA-256 | 86b6965a79475e6b076b8955dfe03320b7908780179972962671b165a32736ba

goahead2.txt

Change Mirror Download

#######################################################################

Luigi Auriemma

Application: Goahead webserver
https://www.goahead.com/webserver/webserver.htm
Versions: <= 2.1.8
Platforms: multiplatform
Bug: bypassing of special directories management with the
effect of downloading cgi-bin files and more
Risk: medium/high
Exploitation: remote with browser
Date: 19 Jan 2004
Author: Luigi Auriemma
e-mail: aluigi@altervista.org
web: https://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Goahead webserver is an embedded OpenSource server that can be build on
a lot of systems (CE, Ecos, GNU/Linux, Lynx, MacOS, NW, QNX4, VXWORKS,
Win32 and others).
It is supported by a lot of companies that use it for their projects
and it is also used like "base" for other webservers, furthermore it
has been developed for be very tiny and to run on embedded systems.


#######################################################################

======
2) Bug
======


Goahead webserver has an internal problem that lets it to accept also
HTTP requests that don't start with the slash or that contain
backslashes (both \ and %5c) after or at the same place of the initial
slash.
So we have that a right request as "GET /file HTTP/1.0" is accepted
but is also accepted a bad request as "GET file HTTP/1.0" or
"GET \file HTTP/1.0", "GET /\\%5cfile HTTP/1.0" and so on.

This bug leads to the bypassing of the management of the "special"
directories (as cgi-bin) and to their usage as normal "unmanaged"
directories.

In fact the server uses a function called websUrlHandlerDefine()
letting the admin to specify how to manage each directory he wants.
For example by default we have

websUrlHandlerDefine(T("/goform"), NULL, 0, websFormHandler, 0);

used to execute the built-in functions written by the same admin or

websUrlHandlerDefine(T("/cgi-bin"), NULL, 0, websCgiHandler, 0);

used just to manage the cgi-bin directory.

So if an attacker uses a HTTP request as one of those seen previously
he will easily bypass the management decided by the admin for a
specific directory (function websUrlHandlerRequest()).

The most common and useful effect of this bug is the download and the
viewing of any file in the cgi-bin directory.


#######################################################################

===========
3) The Code
===========


Some examples for reading the files in the cgi-bin directory:

https://server/\cgi-bin/cgitest.c
https://server/\\\cgi-bin/cgitest.c
https://server/%5ccgi-bin/cgitest.c

"GET cgi-bin/cgitest.c HTTP/1.0"
"GET \cgi-bin/cgitest.c HTTP/1.0"
"GET %5ccgi-bin/cgitest.c HTTP/1.0"


#######################################################################

======
4) Fix
======


No official fix.

A simple patch can be the adding of the following 3 lines of code at
about the line 265 of the file handler.c in the function
"int websUrlHandlerRequest(webs_t wp)":

if((wp->path[0] != '/') || strchr(wp->path, '\\')) {
websError(wp, 400, T("Bad request"));
return(0);
}


#######################################################################


---
Luigi Auriemma
https://aluigi.altervista.org
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close