Donato Ferrante Application: PWebServer http://sourceforge.net/projects/pwebserver/ Version: 0.3.3 Bug: directory traversal bug Author: Donato Ferrante e-mail: fdonato@autistici.org web: www.autistici.org/fdonato xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 1. Description 2. The bug 3. The code 4. The fix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ---------------- 1. Description: ---------------- Vendor's Description: "A simple Java multi-threaded Web Server that supports HTTP/1.0 protocol." xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ------------ 2. The bug: ------------ The program doesn't check for malicious patterns like "/../", so an attacker is able to see and download all the files on the remote system simply using a browser. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ------------- 3. The code: ------------- To test the vulnerability: http://[host]:6789/../someFile or: http://[host]:6789/../../../../etc/passwd xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ------------ 4. The fix: ------------ Bug fixed in the version 0.3.4. If you want, you can use my following little patch, that should fix the bug for this version of PWebServer: .. . . ( line: 99 ) fileName = tokenizedLine.nextToken(); // get the relative file name /* start of patch */ boolean check = false; for(int t = 0; t < fileName.length()-1 && check == false; t++){ if(fileName.charAt(t) == '.' && fileName.charAt(t+1) == '.') check = true; } if(check == true) fileName = ""; /* end of patch */ /* empty filename */ if(fileName.equals("") | fileName.equals("/")) { . . .. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx