Foundstone, Inc. http://www.foundstone.com "Securing the Dot Com World" Security Advisory AnalogX "SimpleServer:WWW" dot dot bug ---------------------------------------------------------------------- FS Advisory ID: FS-072600-8-ANA Release Date: July 26, 2000 Product: SimpleServer:WWW Vendor: AnalogX (http://www.analogx.com) Vendor Advisory: New patched version 1.07 available Type: Ability to retrieve any known file from hosting system Severity: High Author: Robin Keir(robin.keir@foundstone.com) Stuart McClure (stuart.mcclure@foundstone.com) Foundstone, Inc. (http://www.foundstone.com) Operating Systems: All Windows operating systems supported by SimpleServer Vulnerable versions: SimpleServer:WWW 1.06 (and possibly previous versions) Foundstone Advisory: http://www.foundstone.com/advisories.htm ---------------------------------------------------------------------- Description AnalogX SimpleServer:WWW is a simple but effective web server designed for the home or small business user. Its main claim is ease of use and setup. SimpleServer is vulnerable to a "relative directory path" attack that allows a remote user to retrieve any known file from the file system of the server on which it is hosted. Details In normal use SimpleServer protects against accessing files above the directory in which the server is installed. It has been proven to correctly deny access when using URLs of the following format: http://www.victim.com/../file.dat However, by substituting the dot characters with their equivalent hexadecimal URL encoded format of %2E this restriction is removed, giving the attacker full read access to any file on the remote system. Proof of concept A HTTP request of the form http://www.victim.com/%2E%2E/file.dat will succeed in retrieving the file "file.dat" from one directory level above the server root directory if it exists. Using similar URL requests it has been shown that any known file on the system can be retrieved. For example, assuming the default installation location of SimpleServer a request of the form: http://www.victim.com/%2E%2E/%2E%2E/windows/user.dat would retrieve the remote users registry file from a Windows 95/98 machine and this would highly likely contain confidential information. Another example here shows that it is possible to retrieve the log files from the web server directory itself: http://www.victim.com/%2E%2E/%2E%2E/Program%20Files/AnalogX/ SimpleServer/www/server.log Solution Download SimpleServer:www version 1.07 from http://www.analogx.com/contents/download/network/sswww.htm Prelimiary tests of the fix by Foundstone have confirmed the problem is corrected. Credits We would like to thank AnalogX for their prompt reaction to this problem and their co-operation in heightening security awareness in the security community. Disclaimer THE INFORMATION CONTAINED IN THIS ADVISORY IS THE COPYRIGHT (C) 2000 OF FOUNDSTONE, INC. AND BELIEVED TO BE ACCURATE AT THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS. NEITHER THE AUTHOR NOR THE PUBLISHER ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR CONQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE PLACED ON, THIS INFORMATION FOR ANY PURPOSE. THIS ADVISORY MAY BE REDISTRIBUTED PROVIDED THAT NO FEE IS ASSIGNED AND THAT THE ADVISORY IS NOT MODIFIED IN ANY WAY.