what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

gwebTraversal.txt

gwebTraversal.txt
Posted Mar 3, 2004
Authored by Donato Ferrante | Site autistici.org

GWeb HTTP server version 0.6 is susceptible to a directory traversal bug that allows remote attackers to access files outside of the webroot.

tags | exploit, remote, web
SHA-256 | c20a48105f58c207217782b131ab51bde54557edd4d00995be8d9650ff678743

gwebTraversal.txt

Change Mirror Download

Donato Ferrante


Application: GWeb HTTP Server
https://freshmeat.net/projects/gweb/

Version: 0.6

Bug: directory traversal bug

Author: Donato Ferrante
e-mail: fdonato@autistici.org
web: www.autistici.org/fdonato


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

1. Description
2. The bug
3. The code
4. The Fix



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

----------------
1. Description:
----------------

Vendor's Description:

"GWeb is a project to develop an HTTP server using Java, making it
small and portable. It will run on any system running the Java
Runtime Environment."


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
2. The bug:
------------

The program doesn't check for malicious patterns like "/../", so an
attacker is able to see and download all the files on the remote
system simply using a browser.



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-------------
3. The code:
-------------

To test the vulnerability:

https://[host]/../../../../../../windows/system.ini

or:

https://[host]/../someFile



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
4. The Fix:
------------

No fix.
The vendor has not answered to my signalations.

If you want, you can use my following little patch, that should fix
the bug for this version of GWeb HTTP Server:

...
..
.

(line: 136) String dir="www"+System.getProperty("file.separator");

/* start of patch */

int f_len = f.length();
boolean check = false;

for(int bi = 0; bi < f.length()-2 && check == false; bi++){

if(
(f.charAt(bi) == '\"') || (f.charAt(bi)=='/') &&
(f.charAt(bi+1)=='.') && (f.charAt(bi+2) == '.')

){

f_len = 0;
check = true;
}

else if(
(f.charAt(bi)=='.') &&
(f.charAt(bi+1) == '.')

){

f_len = 0;
check = true;
}

}

if(f_len <= 2) // before "if(f.length()==0)"

/* end of patch */

{
file=dir+"index.html";

}

.
..
...



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close