ACD Incorporated Security Advisory
___________________________________________________
Project: Comprehensive Web Programming API
Synopsis: GetRelativePath() in CwpApi.php returns paths outside of
the HTTP ServerRoot.
Advisory date: January 18, 2002
New version: 1.1.1
___________________________________________________
1. In Brief:
An updated CwpApi release is available which fixes a minor security bug in
GetRelativePath() that allows a file outside the HTTP ServerRoot to be read.
2. Applies to:
All versions prior to and including CwpApi-1.1.0, any platform
3. Problem description:
Versions of CwpApi before 1.1.1 (this security fix release) can return a
path via GetRelativePath() that is outside the HTTP server root. This
happens because the code checked only to see if the server root was
mentioned in the path, not whether the actual directory fell under the
server root. For example: a path of /etc/var/www/myfile.file would be
considered valid if the server root directory is /var/www.
CwpApi version 1.1.1 fixes this minor bug.
4. Exploitability:
Generally this bug should not cause much harm, unless the server
administrator has similarly named directories scattered throughout the
server filesystem (as mentioned above).
All users of the API are encouraged to download the update.
5. How the Update Functions:
If the directory is not below the server root, the directory is forced
beneath the server root. For example /etc/var/www/myfile.file will become
/var/www/etc/var/www/myfile.file.
6. Files:
ZIP/TGZ:
http://sourceforge.net/project/showfiles.php?group_id=39378&release_id=69915
Project Homepage:
http://sourceforge.net/projects/cwpapi/
Copyright(c) 2001-2002, ACD, Incorporated.
