Hello!
We have found a bug in the GoAhead WebServer, v.2.0 and v.2.1.
Attacker can get any file from the drive, where web-server was installed.
try follow request
http://www.somehost.com/..\..\..\..\..\..\autoexec.bat
This vulnerability may allow an attacker to execute code with the
privileges of the GoAhead ( Administrator? or root? )
Patch for this vulnerability:
in file: url.c
in function websUrlParse(…)
int websUrlParse(char_t *url, char_t pbuf, char_tphost, char_t **ppath,
char_t pport, char_tpquery, char_t pproto, char_tptag,
char_t **pext)
{
char_t *tok, *cp, *host, *path, *port, *proto, *tag, *query,
*ext, *slash;
char_t *last_delim, *hostbuf, *portbuf, *buf;
int c, len, ulen;
a_assert(url);
a_assert(pbuf);
ulen = gstrlen(url);
/*
Deny directory traversal vulnerability
*/
while((slash = strchr(url, '\\')) != NULL) {
*slash = '/';
}
/*
We allocate enough to store separate hostname and port number fields.
As there are 3 strings in the one buffer, we need room for 3 null
chars.
We allocate MAX_PORT_LEN char_t's for the port number.
*/
–
Sergey Nenashev <[email protected]>
Yevgeny V.Yourkhov <[email protected]>
Security Administrator Team