|
|
|
|
| |
| sh-httpd is "a shell script-based web server that supports GET and HEAD methods and a CGI 1.1 interface". A vulnerability in the product allows remote attackers to execute and read any file they desire by requesting filenames with wildcards. |
| |
Credit:
The information has been provided by dong-h0un U.
|
| |
Vulnerable systems:
* sh-httpd version 0.4
* sh-httpd version 0.3
By requesting a filename from a remote host and inserting a wildcard ('*') with the filename, a remote attacker can read any file from the remote server or execute any CGI the attacker desires.
Examples:
GET *
GET ../../../sh-httpd/p*
GET /../../etc/s*
GET ../../root/.b*
Patch:
=== sh-httpd.patch ===
--- sh-httpd-0.4/sh-httpd Mon Oct 9 11:28:05 2000
+++ sh-httpd.patch Sat Jul 19 08:51:44 2003
@@ -31,7 +31,7 @@
bname() {
local IFS='/'
- set -- $1
+ set -- "$1"
eval rc="\$$#"
[ "$rc" = "" ] && eval rc="\$$(($# - 1))"
echo "$rc"
@@ -262,7 +262,7 @@
# Split URI into base and query string at ?
IFS='?'
- set -- $URI
+ set -- "$URI"
QUERY_STRING="$2"
URL="$1"
IFS=$OIFS
@@ -292,7 +292,7 @@
fi
DIR="`dname $URL`"
- FILE="`bname $URL`"
+ FILE="`bname "$URL"`"
# Check for existance of directory
if [ ! -d "$DOCROOT/$DIR" ]; then
=== eof ===
|
|
|
|
|
