ID PACKETSTORM:36042 Type packetstorm Reporter Donato Ferrante Modified 2005-02-06T00:00:00
Description
`
Donato Ferrante
Application: RaidenHTTPD
http://www.raidenhttpd.com/
Version: 1.1.27
Bug: directory traversal
Date: 05-Feb-2005
Author: Donato Ferrante
e-mail: fdonato@autistici.org
web: www.autistici.org/fdonato
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
1. Description
2. The bug
3. The code
4. The fix
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
----------------
1. Description:
----------------
Vendor's Description:
"RaidenHTTPD is a full featured web server software for Windows 98/Me/
2000/XP/2003 platforms."
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
------------
2. The bug:
------------
The program by default has some checks to avoid malicious patterns
like "/../" into http requests, but the program doesn't well manage
the initial "/" into requests. In fact if you send a request like:
> GET /somefile HTTP/1.1
the webserver will return the requested file if available in the
DocumentRoot directory.
But if you send a request like:
> GET somefile HTTP/1.1
the webserver will return the requested file if available in the
disk partition where the httpd is installed.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-------------
3. The code:
-------------
To test the vulnerability, send a raw http request to the server like:
GET windows/system.ini HTTP/1.1
Host: localhost
this will display Windows' system.ini, if the http server is installed
on the same partition of Windows.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
------------
4. The fix:
------------
Vendor was contacted.
Bug fixed in the version 1.1.31.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
`
{"edition": 1, "title": "RaidenHTTPD.txt", "bulletinFamily": "exploit", "published": "2005-02-06T00:00:00", "lastseen": "2016-11-03T10:28:34", "history": [], "modified": "2005-02-06T00:00:00", "reporter": "Donato Ferrante", "hash": "0730d429e775a1bedda2a6ae11ac0a91a0bc290ab53643f71da7b9789efa0ae7", "sourceHref": "https://packetstormsecurity.com/files/download/36042/RaidenHTTPD.txt", "viewCount": 0, "href": "https://packetstormsecurity.com/files/36042/RaidenHTTPD.txt.html", "description": "", "type": "packetstorm", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "082bb5f7a518dc647927883cfc8b9025"}, {"key": "modified", "hash": "4e4eeed5387a4915f3cb1427ea899e04"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "4e4eeed5387a4915f3cb1427ea899e04"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "a94beeba9cf9fd3a163414c51ce2cf0e"}, {"key": "sourceData", "hash": "17a1421f2afe2a06671ef4bd1b114fa7"}, {"key": "sourceHref", "hash": "bc27ba0ed509c688c83f92c61ab2bd67"}, {"key": "title", "hash": "801010192126d15749bbf6b04eeaf78f"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "references": [], "objectVersion": "1.2", "enchantments": {"score": {"value": -0.6, "vector": "NONE", "modified": "2016-11-03T10:28:34"}, "dependencies": {"references": [], "modified": "2016-11-03T10:28:34"}, "vulnersScore": -0.6}, "sourceData": "` \nDonato Ferrante \n \n \nApplication: RaidenHTTPD \nhttp://www.raidenhttpd.com/ \n \nVersion: 1.1.27 \n \nBug: directory traversal \n \nDate: 05-Feb-2005 \n \nAuthor: Donato Ferrante \ne-mail: fdonato@autistici.org \nweb: www.autistici.org/fdonato \n \n \n \nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx \n \n1. Description \n2. The bug \n3. The code \n4. The fix \n \n \n \nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx \n \n---------------- \n1. Description: \n---------------- \n \nVendor's Description: \n \n\"RaidenHTTPD is a full featured web server software for Windows 98/Me/ \n2000/XP/2003 platforms.\" \n \n \n \nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx \n \n------------ \n2. The bug: \n------------ \n \nThe program by default has some checks to avoid malicious patterns \nlike \"/../\" into http requests, but the program doesn't well manage \nthe initial \"/\" into requests. In fact if you send a request like: \n \n> GET /somefile HTTP/1.1 \n \nthe webserver will return the requested file if available in the \nDocumentRoot directory. \n \n \nBut if you send a request like: \n \n> GET somefile HTTP/1.1 \n \nthe webserver will return the requested file if available in the \ndisk partition where the httpd is installed. \n \n \n \nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx \n \n------------- \n3. The code: \n------------- \n \nTo test the vulnerability, send a raw http request to the server like: \n \nGET windows/system.ini HTTP/1.1 \nHost: localhost \n \n \nthis will display Windows' system.ini, if the http server is installed \non the same partition of Windows. \n \n \n \nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx \n \n------------ \n4. The fix: \n------------ \n \nVendor was contacted. \nBug fixed in the version 1.1.31. \n \n \n \nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx \n`\n", "cvss": {"vector": "NONE", "score": 0.0}, "cvelist": [], "id": "PACKETSTORM:36042"}