[shttpd-general] Security bugs in SHTTPD
Brought to you by:
drozd
Menu
▾
▴
[shttpd-general] Security bugs in SHTTPD
|
From: Luigi A. <al...@au...> - 2007-12-03 12:08:56
|
Hey, I was testing SHTTPD and found some problems I want to report. Note that I tested only the 1.38 version on Windows so some of the bugs or some exploitaion methods could not work on other platforms. The following are the details of the problems: ---------------------- A] directory traversal ---------------------- Using the "..\" pattern is possible to download any file in the disk on which is located the web root directory. -------------------------------------- B] scripts and CGI viewing/downloading -------------------------------------- Any script or CGI in the server can be viewed/downloaded instead of being executed simply adding the chars '+', '.', %20 (this one reported by Shay priel in the summer 2007), %2e and any other byte (in hex format too) major than 0x7f to the requested filename. --- For testing them: A] http://SERVER/..\..\..\boot.ini http://SERVER/..\%2e%2e%5c..\boot.ini B] http://SERVER/file.php+ http://SERVER/file.php. http://SERVER/file.php%20 http://SERVER/file.php%80 BYEZ --- Luigi Auriemma http://aluigi.org |
