exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

PWebServer033.txt

PWebServer033.txt
Posted Mar 9, 2004
Authored by Donato Ferrante | Site autistici.org

PWebServer version 0.3.3 suffers from a directory traversal attack that allows a remote attacker to access any file outside of the webroot.

tags | exploit, remote
SHA-256 | ea3ca487389324ffa7305aa2021d36ed14251e5d30dd90ae1340b73839d76f18

PWebServer033.txt

Change Mirror Download

Donato Ferrante


Application: PWebServer
https://sourceforge.net/projects/pwebserver/

Version: 0.3.3

Bug: directory traversal bug

Author: Donato Ferrante
e-mail: fdonato@autistici.org
web: www.autistici.org/fdonato


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

1. Description
2. The bug
3. The code
4. The fix



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

----------------
1. Description:
----------------

Vendor's Description:

"A simple Java multi-threaded Web Server that supports HTTP/1.0
protocol."


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
2. The bug:
------------

The program doesn't check for malicious patterns like "/../", so an
attacker is able to see and download all the files on the remote
system simply using a browser.



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-------------
3. The code:
-------------

To test the vulnerability:

https://[host]:6789/../someFile

or:

https://[host]:6789/../../../../etc/passwd



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
4. The fix:
------------

Bug fixed in the version 0.3.4.

If you want, you can use my following little patch, that should fix
the bug for this version of PWebServer:

..
.
.

( line: 99 )
fileName = tokenizedLine.nextToken(); // get the relative file name

/* start of patch */


boolean check = false;
for(int t = 0; t < fileName.length()-1 && check == false; t++){
if(fileName.charAt(t) == '.' && fileName.charAt(t+1) == '.')
check = true;
}
if(check == true)
fileName = "";


/* end of patch */

/* empty filename */
if(fileName.equals("") | fileName.equals("/"))
{

.
.
..



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close