Re: Brown Orifice HTTPD Directory Traversal Vulnerability (was Re: Dangerous Java/Netscape Security Hole)

["Michael H. Warfield" <mhw () WITTSEND COM>]

On Tue, Aug 08, 2000 at 10:42:37PM +0900, TAKAGI, Hiromitsu wrote:
        [...]

> Problem Description
> -------------------
>   Brumleve's demonstration page politely asks users to specify a
>   directory on their computer for public access. However, by specifying
>   "\.." in HTTP requests to the server, an attacker can navigate the
>   server's file system and view/download any files. For example,
>       http://your-ip-address:8080/C:/temp/\../
>   or
>       http://your-ip-address:8080/C:/temp/%5C../ (for Internet Explorer
>       as a client)
>   will display the contents of the root directory of C: drive of the
>   server's computer.

> Affected versions and platforms
> -------------------------------
>   This bug has been verified to be present on the BOHTTPD 0.1 in
>   Netscape Navigator 4.72 for Windows.

        This does not appear to be effective against Netscape Communicator
4.74 on Linux.  I get permission denied for any plain ".." in the path
anywhere and anything with "\.." or "%5c.." gets a Java runtime error
complaining that the directory "\.." was not found.

> Workaround
> ----------
>   Do not use BOHTTPD.  :-)

        :-)

        Mike
--
 Michael H. Warfield    |  (770) 985-6132   |  mhw () WittsEnd com
  (The Mad Wizard)      |  (770) 331-2437   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!