|
Brought to you by:
Suppliers of:
|
|
|
| |
| The GoAhead WebServer is an open standard web server compliant with all necessary standards to be an effective embedded Web server. The product suffers from a very serious vulnerability that allows a malicious attacker to download content off the web server residing outside the normal web root scope. In addition, it is possible to execute arbitrary commands on the server. |
| |
Credit:
The information has been provided by Sergey Nenashev.
|
| |
Vulnerable systems:
GoAhead WebServer version 2.0
GoAhead WebServer version 2.1
Example:
Downloading arbitrary files:
http://www.example.com/..\..\..\..\..\..\autoexec.bat
Executing commands:
http://www.example.com/cgi-bin/..\..\..\..\..\..\winnt\system32\cmd.exe?/c+dir+c:\
Unofficial patch:
in file: url.c
in function websUrlParse(...)
int websUrlParse(char_t *url, char_t **pbuf, char_t **phost, char_t **ppath,
char_t **pport, char_t **pquery, char_t **pproto, char_t **ptag,
char_t **pext)
{
char_t *tok, *cp, *host, *path, *port, *proto, *tag, *query, *ext, *slash;
char_t *last_delim, *hostbuf, *portbuf, *buf;
int c, len, ulen;
a_assert(url);
a_assert(pbuf);
ulen = gstrlen(url);
/*
* Deny directory traversal vulnerability
*/
while((slash = strchr(url, '\\')) != NULL) {
*slash = '/';
}
/*
* We allocate enough to store separate hostname and port number fields.
* As there are 3 strings in the one buffer, we need room for 3 null chars.
* We allocate MAX_PORT_LEN char_t's for the port number.
*/
|
|
|
|
|
