GoAhead Web Server Directory Traversal Vulnerability

2001-02-0300:00:00

vulners.com

JSON

Hello!

We have found a bug in the GoAhead WebServer, v.2.0 and v.2.1.

Attacker can get any file from the drive, where web-server was installed.

try follow request

http://www.somehost.com/..\..\..\..\..\..\autoexec.bat

This vulnerability may allow an attacker to execute code with the
privileges of the GoAhead ( Administrator? or root? )

http://www.somehost.com/cgi-bin/..\..\..\..\..\..\winnt\system32\cmd.exe?/c+
dir+c:\

Patch for this vulnerability:

in file: url.c
in function websUrlParse(…)

int websUrlParse(char_t *url, char_t pbuf, char_tphost, char_t **ppath,
char_t pport, char_tpquery, char_t pproto, char_tptag,
char_t **pext)
{
char_t *tok, *cp, *host, *path, *port, *proto, *tag, *query,
*ext, *slash;
char_t *last_delim, *hostbuf, *portbuf, *buf;
int c, len, ulen;

    a_assert&#40;url&#41;;
    a_assert&#40;pbuf&#41;;

    ulen = gstrlen&#40;url&#41;;

 Deny directory traversal vulnerability

    while&#40;&#40;slash = strchr&#40;url, &#39;&#92;&#92;&#39;&#41;&#41; != NULL&#41; {
                    *slash = &#39;/&#39;;
    }

 We allocate enough to store separate hostname and port number fields.

 As there are 3 strings in the one buffer, we need room for 3 null

chars.

 We allocate MAX_PORT_LEN char_t&#39;s for the port number.

–
Sergey Nenashev <[email protected]>
Yevgeny V.Yourkhov <[email protected]>
Security Administrator Team

JSON