Re: IIL Advisory: Reverse traversal vulnerability in Monkey (0.1.4) HTTP server

["Daniel R. Ome" <keziah () uole com>]

En Wed, Sep 25, 2002 at 09:10:45AM -0000, 
DownBload escribió sobre IIL Advisory: Reverse traversal vulnerability in Monkey (0.1.4) HTTP server:

>                 [ Illegal Instruction Labs Advisory ]
> [-------------------------------------------------------------------------]
> Advisory name: Reverse traversal vulnerability in Monkey (0.1.4) HTTP 
> server
> Advisory number: 12
> Application: Monkey (0.1.4) HTTP server
> Application author: Eduardo Silva (EdsipeR) 
> Author e-mail: edsiper () linux-chile org
> Monkey Project: http://monkeyd.sourceforge.net
> Date: 06.09.2002
> Impact: Attacker can read files out of SERVER_ROOT directory 
>
> ... 
> ======[ Problem
> Monkey doesn't check HTTP request for ../ string, and because of that, 
> attacker can view any file out of SERVER_ROOT directory which Monkey can 
> read (if Monkey is running under root account, attacker can read any file 
> on that machine). 
> There is still one thing which will make attack a little more "complicate":
>
> ...
>
> Translated to (poor:) english: 
> If our request is / or second char of our request is . , than path will be
> set to SERVER_ROOT, and in that case, we can't go out of SERVER_ROOT 
> directory. 
>
> Previous "if" will prevent simple reverse traversal attack like this one:
> ---cut here---
> GET /../../../../../../../../../etc/passwd HTTP/1.0
> ---cut here---
>
> But can't prevent this reverse traversal attack:
> ---cut here---
> GET //../../../../../../../../../etc/passwd HTTP/1.0
> ---cut here---

 Hi:

    This bug was reported in December 2001 and corrected  in  following 
 versions. Anyway recently was released Monkey 0.5.0.

    Nos vemos
                                             Daniel

-- 

   Daniel R. Ome    |  Adán comió la manzana, y todavía
    Jujuy - R.A.    |  nos duelen las muelas.
 Linux User 165078  |      Proverbio húngaro.