Search...

RaidenHTTPD.txt

2005-02-06T00:00:00

ID PACKETSTORM:36042
Type packetstorm
Reporter Donato Ferrante
Modified 2005-02-06T00:00:00

Description

                                        
                                            `  
Donato Ferrante  
  
  
Application: RaidenHTTPD  
http://www.raidenhttpd.com/  
  
Version: 1.1.27  
  
Bug: directory traversal  
  
Date: 05-Feb-2005  
  
Author: Donato Ferrante  
e-mail: fdonato@autistici.org  
web: www.autistici.org/fdonato  
  
  
  
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  
  
1. Description  
2. The bug  
3. The code  
4. The fix  
  
  
  
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  
  
----------------  
1. Description:  
----------------  
  
Vendor's Description:  
  
"RaidenHTTPD is a full featured web server software for Windows 98/Me/  
2000/XP/2003 platforms."  
  
  
  
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  
  
------------  
2. The bug:  
------------  
  
The program by default has some checks to avoid malicious patterns  
like "/../" into http requests, but the program doesn't well manage  
the initial "/" into requests. In fact if you send a request like:  
  
&gt; GET /somefile HTTP/1.1  
  
the webserver will return the requested file if available in the  
DocumentRoot directory.  
  
  
But if you send a request like:  
  
&gt; GET somefile HTTP/1.1  
  
the webserver will return the requested file if available in the  
disk partition where the httpd is installed.  
  
  
  
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  
  
-------------  
3. The code:  
-------------  
  
To test the vulnerability, send a raw http request to the server like:  
  
GET windows/system.ini HTTP/1.1  
Host: localhost  
  
  
this will display Windows' system.ini, if the http server is installed  
on the same partition of Windows.  
  
  
  
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  
  
------------  
4. The fix:  
------------  
  
Vendor was contacted.  
Bug fixed in the version 1.1.31.  
  
  
  
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  
`

JSON Vulners Source

Initial Source

{"id": "PACKETSTORM:36042", "type": "packetstorm", "bulletinFamily": "exploit", "title": "RaidenHTTPD.txt", "description": "", "published": "2005-02-06T00:00:00", "modified": "2005-02-06T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/36042/RaidenHTTPD.txt.html", "reporter": "Donato Ferrante", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:28:34", "viewCount": 10, "enchantments": {"score": {"value": -0.6, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.6}, "sourceHref": "https://packetstormsecurity.com/files/download/36042/RaidenHTTPD.txt", "sourceData": "` \nDonato Ferrante \n \n \nApplication: RaidenHTTPD \nhttp://www.raidenhttpd.com/ \n \nVersion: 1.1.27 \n \nBug: directory traversal \n \nDate: 05-Feb-2005 \n \nAuthor: Donato Ferrante \ne-mail: fdonato@autistici.org \nweb: www.autistici.org/fdonato \n \n \n \nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx \n \n1. Description \n2. The bug \n3. The code \n4. The fix \n \n \n \nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx \n \n---------------- \n1. Description: \n---------------- \n \nVendor's Description: \n \n\"RaidenHTTPD is a full featured web server software for Windows 98/Me/ \n2000/XP/2003 platforms.\" \n \n \n \nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx \n \n------------ \n2. The bug: \n------------ \n \nThe program by default has some checks to avoid malicious patterns \nlike \"/../\" into http requests, but the program doesn't well manage \nthe initial \"/\" into requests. In fact if you send a request like: \n \n> GET /somefile HTTP/1.1 \n \nthe webserver will return the requested file if available in the \nDocumentRoot directory. \n \n \nBut if you send a request like: \n \n> GET somefile HTTP/1.1 \n \nthe webserver will return the requested file if available in the \ndisk partition where the httpd is installed. \n \n \n \nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx \n \n------------- \n3. The code: \n------------- \n \nTo test the vulnerability, send a raw http request to the server like: \n \nGET windows/system.ini HTTP/1.1 \nHost: localhost \n \n \nthis will display Windows' system.ini, if the http server is installed \non the same partition of Windows. \n \n \n \nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx \n \n------------ \n4. The fix: \n------------ \n \nVendor was contacted. \nBug fixed in the version 1.1.31. \n \n \n \nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx \n`\n", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647283573}}