Hexyn / Securax Advisory #18 - Savant WWW Unicode Directory Traversal Topic: Savant WWW Unicode Directory Traversal Announced: 2001-02-17 Affects: Savant WWW Unicode version 2.1 DISCLAIMER: *********** THE ENTIRE ADVISORY HAS BEEN BASED UPON TRIAL AND ERROR RESULTS. THEREFORE WE CANNOT ENSURE YOU THE INFORMATION BELOW IS 100% CORRECT. THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT PRIOR NOTICE. I. Problem Description ********************** Savant WWW Server is an HTTP server for Windows 9x/NT. A bug allows any user to change to any directory, and in most cases, execute MS-DOS commands. II. Impact ************** Savant filters "/.." out of the string, but forgets "%2f..". Example: -------- http://www.testserver.com/%2f..%2f..%2f../ HTTP Directory of //../../../ Notes: - When the user does not know a directory which allows listings, one cannot get a listing, but one can still download know files. - When the user know a directory which allows CGI-execution, one can execute MS-DOS commands using: http://www.test_server.com/cgi-bin/%2f..%2f..%2f../cmd.exe?+/c+dir III. Solution ************* At this time, no patch is available yet. IV. Credits *********** Bug discovered by t-Omicr0n Greets to: f0bic, The Incubus, R00T-dude, cicer0, vorlon, sentinel, oPr, Reggie, F_F, Shaolin_p, Segfau|t, NecrOmaN, Zym0t1c, l0r3, Preat0r, T0SH, zeroX, AreS, tips, Lacrima, GigaByte and everyone at #securax@irc.hexyn.be -- t-Omicr0n @ http://t-Omicr0n.hexyn.be