goahead2.txt

2004-01-20T00:00:00
ID PACKETSTORM:32531
Type packetstorm
Reporter Luigi Auriemma
Modified 2004-01-20T00:00:00

Description

                                        
                                            `  
#######################################################################  
  
Luigi Auriemma  
  
Application: Goahead webserver  
http://www.goahead.com/webserver/webserver.htm  
Versions: <= 2.1.8  
Platforms: multiplatform  
Bug: bypassing of special directories management with the  
effect of downloading cgi-bin files and more  
Risk: medium/high  
Exploitation: remote with browser  
Date: 19 Jan 2004  
Author: Luigi Auriemma  
e-mail: aluigi@altervista.org  
web: http://aluigi.altervista.org  
  
  
#######################################################################  
  
  
1) Introduction  
2) Bug  
3) The Code  
4) Fix  
  
  
#######################################################################  
  
===============  
1) Introduction  
===============  
  
  
Goahead webserver is an embedded OpenSource server that can be build on  
a lot of systems (CE, Ecos, GNU/Linux, Lynx, MacOS, NW, QNX4, VXWORKS,  
Win32 and others).  
It is supported by a lot of companies that use it for their projects  
and it is also used like "base" for other webservers, furthermore it  
has been developed for be very tiny and to run on embedded systems.  
  
  
#######################################################################  
  
======  
2) Bug  
======  
  
  
Goahead webserver has an internal problem that lets it to accept also  
HTTP requests that don't start with the slash or that contain  
backslashes (both \ and %5c) after or at the same place of the initial  
slash.  
So we have that a right request as "GET /file HTTP/1.0" is accepted  
but is also accepted a bad request as "GET file HTTP/1.0" or  
"GET \file HTTP/1.0", "GET /\\%5cfile HTTP/1.0" and so on.  
  
This bug leads to the bypassing of the management of the "special"  
directories (as cgi-bin) and to their usage as normal "unmanaged"  
directories.  
  
In fact the server uses a function called websUrlHandlerDefine()  
letting the admin to specify how to manage each directory he wants.  
For example by default we have  
  
websUrlHandlerDefine(T("/goform"), NULL, 0, websFormHandler, 0);  
  
used to execute the built-in functions written by the same admin or  
  
websUrlHandlerDefine(T("/cgi-bin"), NULL, 0, websCgiHandler, 0);  
  
used just to manage the cgi-bin directory.  
  
So if an attacker uses a HTTP request as one of those seen previously  
he will easily bypass the management decided by the admin for a  
specific directory (function websUrlHandlerRequest()).  
  
The most common and useful effect of this bug is the download and the  
viewing of any file in the cgi-bin directory.  
  
  
#######################################################################  
  
===========  
3) The Code  
===========  
  
  
Some examples for reading the files in the cgi-bin directory:  
  
http://server/\cgi-bin/cgitest.c  
http://server/\\\cgi-bin/cgitest.c  
http://server/%5ccgi-bin/cgitest.c  
  
"GET cgi-bin/cgitest.c HTTP/1.0"  
"GET \cgi-bin/cgitest.c HTTP/1.0"  
"GET %5ccgi-bin/cgitest.c HTTP/1.0"  
  
  
#######################################################################  
  
======  
4) Fix  
======  
  
  
No official fix.  
  
A simple patch can be the adding of the following 3 lines of code at  
about the line 265 of the file handler.c in the function  
"int websUrlHandlerRequest(webs_t wp)":  
  
if((wp->path[0] != '/') || strchr(wp->path, '\\')) {  
websError(wp, 400, T("Bad request"));  
return(0);  
}  
  
  
#######################################################################  
  
  
---   
Luigi Auriemma  
http://aluigi.altervista.org  
`