Donato Ferrante Application: GWeb HTTP Server http://freshmeat.net/projects/gweb/ Version: 0.6 Bug: directory traversal bug Author: Donato Ferrante e-mail: fdonato@autistici.org web: www.autistici.org/fdonato xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 1. Description 2. The bug 3. The code 4. The Fix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ---------------- 1. Description: ---------------- Vendor's Description: "GWeb is a project to develop an HTTP server using Java, making it small and portable. It will run on any system running the Java Runtime Environment." xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ------------ 2. The bug: ------------ The program doesn't check for malicious patterns like "/../", so an attacker is able to see and download all the files on the remote system simply using a browser. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ------------- 3. The code: ------------- To test the vulnerability: http://[host]/../../../../../../windows/system.ini or: http://[host]/../someFile xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ------------ 4. The Fix: ------------ No fix. The vendor has not answered to my signalations. If you want, you can use my following little patch, that should fix the bug for this version of GWeb HTTP Server: ... .. . (line: 136) String dir="www"+System.getProperty("file.separator"); /* start of patch */ int f_len = f.length(); boolean check = false; for(int bi = 0; bi < f.length()-2 && check == false; bi++){ if( (f.charAt(bi) == '\"') || (f.charAt(bi)=='/') && (f.charAt(bi+1)=='.') && (f.charAt(bi+2) == '.') ){ f_len = 0; check = true; } else if( (f.charAt(bi)=='.') && (f.charAt(bi+1) == '.') ){ f_len = 0; check = true; } } if(f_len <= 2) // before "if(f.length()==0)" /* end of patch */ { file=dir+"index.html"; } . .. ... xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx