Anti-Web "Vulnerability" is a false alarm

["D." <dugely () yahoo com>]

Hello Bugtraq,

This is Doug Hoyte, head programmer of the Anti-Web
project. I'm responding to an "advisory" put out
recently by the "GOBBLES research group".

I was not contacted by this "researcher". I'm an
occassional reader of bugtraq, but I missed this
particular message. I wouldn't have found out at all
if I wasn't E-Mailed by Stuart Moore of
www.securitytracker.com (which is an
excellent security website, by the way.) Stuart also
said to me that he was unable to validate GOBBLES'
claims. Thank you for notifying me, Stuart.

Since early versions of Anti-Web, I've been aware of
GET request attacks using '..', '~', etc, and have
programmed this security into Anti-Web as such. As you
can imagine, I was very suprised by this "advisory". I
checked to make sure it was a recent version that
GOBBLES was testing. It was.

After reading GOBBLES' message through, I realized
that his testing procedure was completely flawed.

I'm not intimatley familiar with lynx, but I realized
that something strange was going on here.

I decided to disprove GOBBLES' technique. The ps and
netstat commands show that awhttpd is NOT running on
this system. Next, I run the same command procedure
that GOBBLES ran in his advisory.

/home/doug/tp2@orion$ uname -a
OpenBSD orion 2.9 DOUGS#0 i386
/home/doug/tp2@orion$ ps -aux | grep awhttpd
/home/doug/tp2@orion$ netstat -an | grep 2000
/home/doug/tp2@orion$ lynx -dump localhost:2000/../
> GOBBLES
/home/doug/tp2@orion$ cat GOBBLES 

Current directory is /home/doug/tp2/

    -rw-r--r--    1 doug     doug           0 Dec  1
20:51 [1]GOBBLES
    -rw-r--r--    1 doug     doug       37287 Dec  1
20:34 [2]awhttpd-2.1.tgz
    drwxr-xr-x    3 doug     doug         512 Dec  1
20:35 [3]awhttpd/
    -rw-r--r--    1 doug     doug         928 Dec  1
20:50 [4]gobblesreply.txt

References

   1. file://localhost/home/doug/tp2/GOBBLES
   2. file://localhost/home/doug/tp2/awhttpd-2.1.tgz
   3. file://localhost/home/doug/tp2/awhttpd
   4. file://localhost/home/doug/tp2/gobblesreply.txt
/home/doug/tp2@orion$


Obviously, lynx isn't going through the webserver to
get this information.

Honestly, I don't see how GOBBLES could have thought
he discovered a security hole in here. Note in the
references it says "file://" instead of "http://";.
That should have been his first clue.

Although this proves nothing about AW's security (as
it proves nothing about any holes in AW), you can
quickly and easily verify the hole by trying GOBBLES'
"exploit" on an AW box (as GOBBLES himself didn't do,
obviously).

For instance, if AW is running in /var/webpage (as
mine is), try sending your favorite browser to
http://the.box.com/../../etc/passwd

You'll see a 404 Not Found.


After verifying this myself, I feel confident to
release this "vendor" response: (Damn I sound
professional :) )

The GOBBLES advisory is a false alarm. This
vulnerability doesn't exist in Anti-Web, and hasn't
existed since at least 2.0, and possibly earlier
versions. In other words, all publicly released
versions are safe.



Next, I'd like to clear my name a little bit. GOBBLES'
words were harsh, and as is now confirmed, completely
unfounded.

GOBBLES mentioned that it was a bit hypocritical of me
not to run AW on my own webserver. This seems to be
yet another prime example of GOBBLES' incompetence.

If he had investigated his claim even slightly, he
would have seen that the AW URL
(hardcoresoftware.cjb.net/awhttpd/) is a URL forwarder
to my own machine (pulsar.sytes.net) which is running
AW 2.2 on OpenBSD 2.9. Cjb.net isn't running AW, so I
can see how he could have gotten confused, but that
really is no excuse.

Proof? Cruise to pulsar.sytes.net in lynx and hit '='.

Why don't I just buy my own DNS name? I'm a poor
canadian college student with no credit card, so I
must rely on free DNS entries (no-ip.com) and URL
forwarders (cjb.net). Thank you to those services, by
the way.

As for my "mocking" of more popular webservers, I
realize that perhaps some of what I say in the README
could be taken the wrong way. All I'm saying is that
in more commonly used webservers, there tends to be a
lot of feature bloat which, as most bugtraq readers
should recognize, often results in security flaws.
Anti-Web is a smaller, more simple server than most of
the others out there. Don't get me wrong again, I have
an incredible amount of respect for the apache,
thttpd, and IIS programmers. They've got features in
their servers that I could only wish for, but
sometimes a more light-weight solution is in order.

Anyways, this shameless smear campaign that GOBBLES is
running is completely uncalled for and, I must say, a
seemingly common symptom on full disclosure lists. We
should all take a lesson from Stuart Moore, who
actually tested this "exploit" before putting it on
his website. The security community needs more
rational, intelligent minds like this, and less self
indulgent halfwits like GOBBLES trying vainly to make
names for themselves.

GOBBLES, please try to put yourself into the shoes of
an open source programmer. I love my code and I'm
proud of my code. As such, I have no problem sharing
the code under the GPL. I'm genuinely happy when
people use it and stress test it for vulnerabilities.
All I ask is that you at least notify me before you
ruin my reputation, and for god's sake, confirm your
fucking exploits! 



Doug Hoyte

P.S. Anti-Web is up for download at
http://hardcoresoftware.cjb.net/awhttpd/
Or, you could just search Freshmeat.


Thanks go to Stuart Moore, the OpenBSD team,
#disguise, #hackcanada

__________________________________________________
Do You Yahoo!?
Buy the perfect holiday gifts at Yahoo! Shopping.
http://shopping.yahoo.com