Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

shttp004-traverse.txt

🗓️ 25 Oct 2007 00:00:00Reported by Pete FosterType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 24 Views

Directory Traversal Flaw in shttp. Version 0.0.4 does not prevent directory traversal attacks, allowing access to sensitive system files

Code
`The most recent version of this advisory (including any updates) is  
available at:  
http://www.digineo.co.uk/shttp_directory_traversal  
  
Directory Traversal Flaw in shttp  
---------------------------------  
Affected product: shttp  
Product vendor: Vito Caputo - (http://serverkit.org/modules/contrib/shttp/)  
Affected version: 0.0.4  
  
Product description  
-------------------  
Shttp is a partial implementation of HTTP/1.1. It does not strictly follow  
the RFC but works well enough to serve static content for  
personal/experimental/educational use. The module consists of just over 1000  
LoC making it an excellent example of what can be done with ServerKit with  
little effort and a great learning tool for those getting started with  
ServerKit programming.  
  
  
Problem analysis  
----------------  
While examining the source code of shttp.c, it was noted that the  
safe_path(char *path) function does not entirely prevent directory traversal  
attacks. The affected function analyses the supplied URI and returns a value  
indicating the folder distance from the document root. Positive return  
values indicate child folders, negative values indicate parent folders and  
hence directory traversal attempts. However, the function does not trap  
directory traversal attacks where the target file is deeper within the  
folder hierarchy than the web document root.  
  
  
Problem example  
---------------  
Assuming that the product has been installed with the default document root  
(/var/www), the following demonstrates the problem:  
  
HEAD /../../etc/passwd HTTP/1.0  
  
HTTP/1.1 400 Bad Request  
Content-Type: text/html  
Server: Shttp/ServerKit  
Date: Thu, 25 Oct 2007 16:31:30 GMT  
Connection: close  
  
  
HEAD /../../var/log/messages HTTP/1.0  
  
HTTP/1.1 200 OK  
Content-Length: 178455  
Content-Type: text/plain  
Last-Modified: Thu, 25 Oct 2007 16:36:39 GMT  
Server: Shttp/ServerKit  
Date: Thu, 25 Oct 2007 16:42:32 GMT  
Connection: close  
  
  
Rectification  
-------------  
This issue has been addressed and rectified in version 0.0.5 of shttp,  
available from http://serverkit.org/modules/contrib/shttp/.  
digineo thanks Vito Caputo for his assistance and rapid response with  
regards to this issue.  
  
  
Discovery timeline  
------------------  
20071024 - Issue discovered  
20071025 - Vendor notified  
20071025 - Vendor response  
20071025 - Update released  
20071026 - Advisory published  
  
  
--   
Pete Foster  
digineo Limited  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
25 Oct 2007 00:00Current
7.4High risk
Vulners AI Score7.4
shttpvito caputodirectory traversalweb document rootrectifieddigineo limitedserverkit programminghttp/1.1
24