GWeb HTTP server version 0.6 is susceptible to a directory traversal bug that allows remote attackers to access files outside of the webroot.
c20a48105f58c207217782b131ab51bde54557edd4d00995be8d9650ff678743
Donato Ferrante
Application: GWeb HTTP Server
https://freshmeat.net/projects/gweb/
Version: 0.6
Bug: directory traversal bug
Author: Donato Ferrante
e-mail: fdonato@autistici.org
web: www.autistici.org/fdonato
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
1. Description
2. The bug
3. The code
4. The Fix
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
----------------
1. Description:
----------------
Vendor's Description:
"GWeb is a project to develop an HTTP server using Java, making it
small and portable. It will run on any system running the Java
Runtime Environment."
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
------------
2. The bug:
------------
The program doesn't check for malicious patterns like "/../", so an
attacker is able to see and download all the files on the remote
system simply using a browser.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-------------
3. The code:
-------------
To test the vulnerability:
https://[host]/../../../../../../windows/system.ini
or:
https://[host]/../someFile
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
------------
4. The Fix:
------------
No fix.
The vendor has not answered to my signalations.
If you want, you can use my following little patch, that should fix
the bug for this version of GWeb HTTP Server:
...
..
.
(line: 136) String dir="www"+System.getProperty("file.separator");
/* start of patch */
int f_len = f.length();
boolean check = false;
for(int bi = 0; bi < f.length()-2 && check == false; bi++){
if(
(f.charAt(bi) == '\"') || (f.charAt(bi)=='/') &&
(f.charAt(bi+1)=='.') && (f.charAt(bi+2) == '.')
){
f_len = 0;
check = true;
}
else if(
(f.charAt(bi)=='.') &&
(f.charAt(bi+1) == '.')
){
f_len = 0;
check = true;
}
}
if(f_len <= 2) // before "if(f.length()==0)"
/* end of patch */
{
file=dir+"index.html";
}
.
..
...
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx