Bugtraq mailing list archives
Re: [Tclhttpd-users] Re: TCLHttpd Server - Multiple Vulnerabilities
From: Brent Welch <welch () panasas com>
Date: Wed, 24 Sep 2003 13:39:07 -0700
Here is the patch for the dirlist.tcl bug Please note also that with this bug you can see a directory listing, but you cannot fetch any files that you might be able to see. The server running at www.tcl.tk has had this patch applied to it. *** dirlist.tcl 4 Apr 2003 04:10:54 -0000 1.10 --- dirlist.tcl 24 Sep 2003 20:32:28 -0000 *************** *** 174,180 **** set path [file split $dir] # Filter pattern to avoid leaking path information ! regsub -all {\.\./} $pattern {} pattern set list [glob -nocomplain -- [file join $dir $pattern]] if {[llength $path] > 1} { --- 174,181 ---- set path [file split $dir] # Filter pattern to avoid leaking path information ! regsub -all {\.+/} $pattern {} pattern ! set pattern [string trimleft $pattern /] set list [glob -nocomplain -- [file join $dir $pattern]] if {[llength $path] > 1} {
Michael Schlenker said:Phuong Nguyen wrote:Released Date 09/23/2003 TITLE ===== TCLHttpd 3.4.2 - Multiple Vulnerabilities DESCRIPTION =========== "TclHttpd is used both as a general-purpose Web server, and as a framework for building server applications. It implements Tcl (http://www.tcl.tk), including the Tcl Resource Center and Scriptics' electronic commerce facilities. It is also built into several commercial applications such as license servers and mail spam filters. Instructions for setting up the TclHttpd on your platform are given towards the end of the chapter, on page See The TclHttpd Distribution. It works on Unix, Windows, and Macintosh. You can have the server up and running quickly." More information at http://www.tcl.tk/software/tclhttpdOne should add the sourceforge Project: http://www.sourceforge.net/projects/tclhttpdPROBLEMS ======== Affected Version : TCLHttpd 3.4.2 (latest) and probably older builds Tested Platform : Linux(x86) Mutiple flaws in TCLHttpd server which open door for an attacker to browse any directories on the remote host, and to inject malicious javascript/vbscript content to the user's browser under the TCLHttpd server context (Cross Site Scripting). DETAILS ======= [Vulnerability #1] Arbitrary Directory Browsing When a user requests a directory on TCLHttpd server, httpdthread.tcl will start to look for various default index file names in that directory, if none can be found then it will pass the operation to dirlist.tcl script to do the "fancy" directory listing which provides users the ability to sort files by modify date, name, size or file's pattern. Dirlist.tcl script does filter inputs from the users in order to prevent directory traversal but it can be easily bypassed if an absolute path was entered. Directory listing is enabled by default. For example: Requesting http://abc.com/images/?pattern=/*&sort=name will return you a list of directory under /Confirmed. This is similar to: http://sourceforge.net/tracker/index.php?func=detail&aid=591103&group_id=128
84&atid=112884
[Vulnerability #2] Cross Site Scripting (XSS) TCLHttpd web server comes with various modules in order to increase the flexibility of the server, and /debug module is enable by default which allows you to download logging information, debug the Tcl part of the application without restarting the hosting application. Many modules are suffered from the multiple Cross Site Scripting (XSS) vulnerabilities that potentially enable a malicious user to "inject" code into a user's session under TCLHttpd server context. I'm going to use the /debug module as an example. http://www.abc.com/debug/echo?name=<script>alert('hello');</script> http://www.abc.com/debug/dbg?host=<script>alert('hello');</script> http://www.abc.com/debug/showproc?proc=<script>alert('hello');</script> http://www.abc.com/debug/errorInfo?title=<script>alert('hello');</script> WORK AROUND =========== You can eliminate the threats from these vulnerabilities by editing your httpdthread.tcl and comment out the directory listing option, also you should disable the following modules to prevent Cross Site Scripting: Status, Debug, Mail and Admin.Michael Schlenker ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ TclHttpd-users mailing list TclHttpd-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/tclhttpd-users
-- Brent Welch Software Architect, Panasas Inc Delivering the World's Most Scalable and Agile Storage Network www.panasas.com welch () panasas com
Current thread:
- TCLHttpd Server - Multiple Vulnerabilities Phuong Nguyen (Sep 24)
- Message not available
- Re: [Tclhttpd-users] Re: TCLHttpd Server - Multiple Vulnerabilities Brent Welch (Sep 24)
- Message not available