Re: [Tclhttpd-users] Re: TCLHttpd Server - Multiple Vulnerabilities

[Brent Welch <welch () panasas com>]

Here is the patch for the dirlist.tcl bug
Please note also that with this bug you can see a
directory listing, but you cannot fetch any files that
you might be able to see.  The server running at www.tcl.tk
has had this patch applied to it.

*** dirlist.tcl 4 Apr 2003 04:10:54 -0000       1.10
--- dirlist.tcl 24 Sep 2003 20:32:28 -0000
***************
*** 174,180 ****
      set path [file split $dir]

      # Filter pattern to avoid leaking path information
!     regsub -all {\.\./} $pattern {} pattern

      set list [glob -nocomplain -- [file join $dir $pattern]]
      if {[llength $path] > 1} {
--- 174,181 ----
      set path [file split $dir]

      # Filter pattern to avoid leaking path information
!     regsub -all {\.+/} $pattern {} pattern
!     set pattern [string trimleft $pattern /]

      set list [glob -nocomplain -- [file join $dir $pattern]]
      if {[llength $path] > 1} {

> > > Michael Schlenker said:
> Phuong Nguyen wrote:
>
> > Released Date 09/23/2003
> >
> > TITLE
> > =====
> > TCLHttpd 3.4.2 - Multiple Vulnerabilities
> >
> > DESCRIPTION
> > ===========
> > "TclHttpd is used both as a general-purpose Web
> > server, and as a framework for building server
> > applications. It implements Tcl (http://www.tcl.tk),
> > including the Tcl Resource Center and Scriptics'
> > electronic commerce facilities. It is also
> > built into several commercial applications such as
> > license servers and mail spam filters. Instructions
> > for setting up the TclHttpd on your platform are given
> > towards the end of the chapter, on page See The
> > TclHttpd Distribution. It works on Unix, Windows, and
> > Macintosh. You can have the server up and running
> > quickly."
> >
> > More information at
> > http://www.tcl.tk/software/tclhttpd
> One should add the sourceforge Project:
> http://www.sourceforge.net/projects/tclhttpd
>
> > PROBLEMS
> > ========
> > Affected Version    : TCLHttpd 3.4.2 (latest) and
> > probably older builds
> > Tested Platform             : Linux(x86)
> >
> > Mutiple flaws in TCLHttpd server which open door for
> > an attacker to browse any directories on the remote
> > host, and to inject 
> >
> > malicious javascript/vbscript content to the user's
> > browser under the TCLHttpd server context (Cross Site
> > Scripting).
> >
> > DETAILS
> > =======
> > [Vulnerability #1] Arbitrary Directory Browsing
> >
> > When a user requests a directory on TCLHttpd server,
> > httpdthread.tcl will start to look for various default
> > index file names in that directory, if none can be
> > found then it will pass the operation to dirlist.tcl
> > script to do the "fancy" directory listing which
> > provides users the ability to sort files by modify
> > date, name, size or file's pattern. Dirlist.tcl script
> > does filter inputs from the users in order to prevent
> > directory traversal but it can be easily bypassed if
> > an absolute path was entered. Directory listing is
> > enabled by default.
> >
> > For example: Requesting
> > http://abc.com/images/?pattern=/*&sort=name will
> > return you a list of directory under /
> Confirmed. This is similar to:
> http://sourceforge.net/tracker/index.php?func=detail&aid=591103&group_id=128
     84&atid=112884
> > [Vulnerability #2] Cross Site Scripting (XSS)
> >
> > TCLHttpd web server comes with various modules in
> > order to increase the flexibility of the server, and
> > /debug module is enable by default which allows you to
> > download logging information, debug the Tcl part of
> > the application without restarting the hosting
> > application. 
> >
> > Many modules are suffered from the
> > multiple Cross Site Scripting (XSS) vulnerabilities
> > that potentially enable a malicious user to "inject"
> > code into a user's session under TCLHttpd server
> > context. I'm going to use the /debug module as an
> > example.
> >
> > http://www.abc.com/debug/echo?name=<script>alert('hello');</script>
> > http://www.abc.com/debug/dbg?host=<script>alert('hello');</script>
> > http://www.abc.com/debug/showproc?proc=<script>alert('hello');</script>
> > http://www.abc.com/debug/errorInfo?title=<script>alert('hello');</script>
> >
> > WORK AROUND
> > ===========
> > You can eliminate the threats from these
> > vulnerabilities by editing your httpdthread.tcl and
> > comment out the directory listing option, also you
> > should disable the following modules to prevent Cross
> > Site Scripting: Status, Debug, Mail and Admin.
> >  
>
> Michael Schlenker
>
>
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> TclHttpd-users mailing list
> TclHttpd-users () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/tclhttpd-users

--
Brent Welch
Software Architect, Panasas Inc
Delivering the World's Most Scalable and Agile Storage Network
www.panasas.com
welch () panasas com