Directory traversal flaw in shttp

2007-10-26T00:00:00
ID SECURITYVULNS:DOC:18293
Type securityvulns
Reporter Securityvulns
Modified 2007-10-26T00:00:00

Description

The most recent version of this advisory (including any updates) is available at: http://www.digineo.co.uk/shttp_directory_traversal

Directory Traversal Flaw in shttp

Affected product: shttp Product vendor: Vito Caputo - (http://serverkit.org/modules/contrib/shttp/) Affected version: 0.0.4

Product description

Shttp is a partial implementation of HTTP/1.1. It does not strictly follow the RFC but works well enough to serve static content for personal/experimental/educational use. The module consists of just over 1000 LoC making it an excellent example of what can be done with ServerKit with little effort and a great learning tool for those getting started with ServerKit programming.

Problem analysis

While examining the source code of shttp.c, it was noted that the safe_path(char *path) function does not entirely prevent directory traversal attacks. The affected function analyses the supplied URI and returns a value indicating the folder distance from the document root. Positive return values indicate child folders, negative values indicate parent folders and hence directory traversal attempts. However, the function does not trap directory traversal attacks where the target file is deeper within the folder hierarchy than the web document root.

Problem example

Assuming that the product has been installed with the default document root (/var/www), the following demonstrates the problem:

HEAD /../../etc/passwd HTTP/1.0

HTTP/1.1 400 Bad Request Content-Type: text/html Server: Shttp/ServerKit Date: Thu, 25 Oct 2007 16:31:30 GMT Connection: close

HEAD /../../var/log/messages HTTP/1.0

HTTP/1.1 200 OK Content-Length: 178455 Content-Type: text/plain Last-Modified: Thu, 25 Oct 2007 16:36:39 GMT Server: Shttp/ServerKit Date: Thu, 25 Oct 2007 16:42:32 GMT Connection: close

Rectification

This issue has been addressed and rectified in version 0.0.5 of shttp, available from http://serverkit.org/modules/contrib/shttp/. digineo thanks Vito Caputo for his assistance and rapid response with regards to this issue.

Discovery timeline

20071024 - Issue discovered 20071025 - Vendor notified 20071025 - Vendor response 20071025 - Update released 20071026 - Advisory published

-- Pete Foster digineo Limited