directory traversal bug in Pserv 3.0b2

Donato Ferrante <fdonato@autistici.org> · Wed, 24 Dec 2003 17:31:21 +0100

Donato Ferrante


Application:  PSERV - the small web server
              http://sourceforge.net/projects/pserv

Version:      3.0 beta 2

Bug:          directory traversal bug

Author:       Donato Ferrante
              e-mail: fdonato@autistici.org
              web:    www.autistici.org/fdonato


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

1. Description
2. The bug
3. The code
4. The patch


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

----------------
1. Description:
----------------

Vendor's Description:

"The aim of pServ (pico Server) is to create a portable, small
webserver.
Coded in portable C with Unix being the main reference platform, but
porting is encouraged. Portability and small footprint should enable
the use of pServ on a workstation as well as."


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
2. The bug:
------------

The program, by default, has an anti-directory traversal check, but
this check can be easily bypassed using the double slash ("//") into
the http requests.


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-------------
3. The code:
-------------

To test the pserv's vulnerability simply send to the webserver an http
request string, like that:

                     "GET //../ HTTP/1.0\r\n\r\n"

or generally:

                    GET //../MY_PATH HTTP/1.0\r\n\r\n
                    GET /SOME_DIRECTORY//..//../ HTTP/1.0\r\n\r\n
                        
so the webserver will allow you to go out of the documentsPath
assigned to the webserver, and navigate through the system.


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

--------------
4. The patch:
--------------

To fix the bug simply go on the pserv's official website,
http://sourceforge.net/projects/pserv, and download the latest version
of pserv (see also in CVS).

Or, if you want, you can use my following little patch, that should fix
the bug for the version 3.0b2 of Pserv:

--- main.c	2003-09-22 10:39:24.000000000 +0200
+++ patch.c	2003-12-19 12:40:47.000000000 +0100
@@ -455,6 +455,11 @@
                     dirName[1] = req.documentAddress[2];
                     dirName[2] = req.documentAddress[3];
                     dirName[3] ='\0';
+                    if (dirName[0] == '/')
+                    {
+                        sayError(sock, FORBIDDEN, req.documentAddress, req);
+                        return -1;
+                    }
                     if (!strcmp(dirName, "../"))
                     {
                         sayError(sock, FORBIDDEN, req.documentAddress, req);
@@ -462,6 +467,15 @@
                     }
                 }
                 j = 0;
+                for(i = 1; i < sL; i++) {
+                   if(req.documentAddress[i] == '/')
+                        if(req.documentAddress[i+1] == '/')
+                        {
+                            sayError(sock, FORBIDDEN, req.documentAddress, req);
+                            return -1;
+                        }
+
+		}
                 for (i = 1; i < sL; i++) {
                     if (req.documentAddress[i] == '/')
                     {


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx





