Donato Ferrante Application: Tiny Server http://sourceforge.net/projects/tinyserver Version: 1.1 (1.0.5) Bugs: Multiple Vulnerabilities Author: Donato Ferrante e-mail: fdonato@autistici.org web: www.autistici.org/fdonato xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 1. Description 2. The bugs 3. The code 4. The fix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ---------------- 1. Description: ---------------- Vendor's Description: "This is a very basic http server. This server can accept multiple requests at once. The server is only 56 kb. The server has been configured to accept a maximum of 100 connections. As of now Tiny Server supports only the GET request." xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ------------- 2. The bugs: ------------- [1] directory traversal bug: the program does't make a good check on the user input string ( /../ ) so an attacker is able to see and download all the files on the remote system simply using his browser. [2] denial of service bug: the program have no checks on the input strings received, so an attacker is able to crash the server simply sending a crafted string. [3] cross site scripting bug: the program doesn't make a full check on the strings sent by the client, in fact the input strings are not filtered and they will appear in the returned page. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ------------- 3. The code: ------------- The following are some examples to test the vulnerabilities: [1] http://[host]/../../windows/system.ini [2] GET /index.htm ( without specify HTTP/1.1 ) or simply: index.htm ( without specify GET and HTTP/1.1 ) or: GET /aaaaaa[ 260 of a ]aaa HTTP/1.1 [3] http://[host]/ xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ------------ 4. The fix: ------------ No fix. The vendor has not answered to my signalations. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx