Westpoint Security Advisory
Title: GoAhead Web Server Directory Traversal + Cross Site Scripting
Risk Rating: Medium
Software: GoAhead Web Server v2.1
Platforms: Windows NT/98/95/CE
Embedded Linux
Linux
QNX
Novell Netware + others
Vendor URL: www.goahead.com/webserver/webserver.htm
Author: Matt Moore <matt@westpoint.ltd.uk>
Date: 10th July 2002
Advisory ID#: wp-02-0001
Overview:
=========
GoAhead is an open source 'embedded' web server. Apparently used in various
networking devices from several blue chip companies.
( http://www.goahead.com/webserver/customers.htm )
Details:
========
Cross Site Scripting via 404 messages.
--------------------------------------
GoAhead quotes back the requested URL when responding with a 404. Hence it
is possible to perform cross-site scripting attacks, e.g:
GoAhead-server/SCRIPTalert(document.domain)/SCRIPT
Read arbitrary files from the server running GoAhead(Directory Traversal)
-------------------------------------------------------------------------
GoAhead is vulnerable to a directory traversal bug. A request such as
GoAhead-server/../../../../../../../ results in an error message
'Cannot open URL'.
However, by encoding the '/' character, it is possible to break out of the
web root and read arbitrary files from the server.
Hence a request like:
GoAhead-server/..%5C..%5C..%5C..%5C..%5C..%5C/winnt/win.ini returns the
contents of the win.ini file.
Vendor Response:
================
I was unable to obtain any response from GoAhead technical support
regarding
the identified issues.
Patch Information:
==================
No vendor response, so unsure if fixed version available.
Security History:
=================
http://www.securiteam.com/securitynews/5QP010U3FS.html - Directory
Traversal
http://www.securiteam.com/securitynews/5IP0E2K41I.html - Denial of Service
http://www.securiteam.com/windowsntfocus/5LP040A3RS.html - Denial of
Service
This advisory is available online at:
http://www.westpoint.ltd.uk/advisories/wp-02-0001.txt
