sh-httpd Arbitrary File/Directory Access

2003-10-27T10:45:25
ID OSVDB:2721
Type osvdb
Reporter OSVDB
Modified 2003-10-27T10:45:25

Description

Vulnerability Description

sh-httpd contains a flaw that allows a remote attacker to access arbitrary files and directories outside of the web path. The issue is due to the server not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the URI. It is also possible for an attacker to execute arbitrary CGI programs outside of the /cgi-bin/ directory.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, the vulnerability reporter has released a patch to address this vulnerability.

Short Description

sh-httpd contains a flaw that allows a remote attacker to access arbitrary files and directories outside of the web path. The issue is due to the server not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the URI. It is also possible for an attacker to execute arbitrary CGI programs outside of the /cgi-bin/ directory.

Manual Testing Notes

telnet [victim] 80 GET GET ../../../sh-httpd/p GET /../../etc/s GET ../../root/.b

References:

Vendor URL: http://freshmeat.net/projects/sh-httpd/ Vendor URL: http://lrp.steinkuehler.net/Packages/weblet.htm Secunia Advisory ID:10081 Mail List Post: http://archives.neohapsis.com/archives/vulnwatch/2003-q4/0020.html Keyword: Directory Traversal ISS X-Force ID: 13519 Generic Exploit URL: http://packetstormsecurity.nl/0310-exploits/sh-httpd.txt Bugtraq ID: 8897