zbeng Posted March 11, 2007 Report Share Posted March 11, 2007 1. Description:----------------Vendor's Description:"A simple Java multi-threaded Web Server that supports HTTP/1.0 protocol."xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx------------2. The bug:------------The program doesn't check for malicious patterns like "/../", so anattacker is able to see and download all the files on the remotesystem simply using a browser.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-------------3. The code:-------------To test the vulnerability: http://[host]:6789/../someFileor:http://[host]:6789/../../../../etc/passwdxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx------------4. The fix:------------Bug fixed in the version 0.3.4.If you want, you can use my following little patch, that should fixthe bug for this version of PWebServer:....( line: 99 ) fileName = tokenizedLine.nextToken(); // get the relative file name/* start of patch */boolean check = false; for(int t = 0; t < fileName.length()-1 && check == false; t++){ if(fileName.charAt(t) == '.' && fileName.charAt(t+1) == '.') check = true; } if(check == true) fileName = "";/* end of patch *//* empty filename */if(fileName.equals("") | fileName.equals("/")){.... Quote Link to comment Share on other sites More sharing options...