|
|
|
|
| |
| Surfboard is "a small, simple HTTPd designed to be set up in a minimum of time and with a minimum of fuss. CGI is supported, and so are custom CGI handlers for various file extensions (e.g. .PHP - yes, it works!) POST support is not there, but in the works". Two vulnerabilities in the product have been found, allowing attackers to view files that reside outside the bounding HTML root directory, and to cause the server to consume large amount of CPU time. |
| |
Credit:
The information has been provided by Luigi Auriemma.
|
| |
Vulnerable systems:
* Surfboard HTTPd version 1.1.8 and prior
Directory Traversal
The web server checks the dot-dot pattern only if there is a '?' in the URI (used for server side scripts), so there is no protection for the classical directory traversal exploitation. Note: fortunately the web server doesn't support indexing of directories and the version 1.0 is not affected by this bug.
Resource Consumption
The web server uses a strange method to read the browser's input: it does a loop until it receives a second line-feed. Unfortunately the web server doesn't check for errors so if the client breaks the connection it will enter in an infinite loop and the process (the web server uses fork()) will be never terminated.
Exploits:
Directory Traversal:
http://server/../etc/passwd
http://server/../../../etc/passwd
Resource Consumption:
Connect to the server with telnet or netcat and then close the connection (without sending data).
Fix:
Luigi Auriemma has alerted the author a week ago, however patching the web server is very simple. The following patch can be applied to the 1.1.8 version:
--- surfboard.c 2001-04-11 19:23:36.000000000 +0000
+++ 1.c 2003-11-27 18:38:28.000000000 +0000
@@ -155,7 +155,7 @@
*/
while(1)
{
- while(read(s, &c, 1)<1);
+ if(read(s, &c, 1)<1) break;
if(c=='\r') { continue; }
if(c=='\n' && oldc=='\n') { break; }
oldc=c;
@@ -167,7 +167,7 @@
sprintf(buf, "Asked for %s", rawreq);
log_msg(LOG_DEBUG, buf);
- if(strstr(rawreq, "..")<strstr(rawreq, "?") || strstr(rawreq,
"`")<strstr(rawreq, "?"))
+ if((!strstr(rawreq, "?")&&strstr(rawreq, "..")) || strstr(rawreq,
"..")<strstr(rawreq, "?") || strstr(rawreq, "`")<strstr(rawreq, "?"))
{
log_msg(LOG_ERR, "Relative path and/or shell escape - ATTACK ATTEMPT");
add2header(http_header, "HTTP/1.1 400 Bad Request\r\n");
Fix details:
1) The reading loop will be terminated if we find an error
2) We check also the presence of the dot-dot pattern if there is no '?' in the URI
|
|
|
|
|
