Donato Ferrante Application: Pegasi Web Server (PWS) http://pws.sourceforge.net Version: 0.2.2 Bugs: Multiple Vulnerabilities Author: Donato Ferrante e-mail: fdonato@autistici.org web: www.autistici.org/fdonato xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 1. Description 2. The bugs 3. The code 4. The fix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ---------------- 1. Description: ---------------- Vendor's Description: "Pegasi Web Server (PWS) is a multithreading Java Web server. It is written by students at the PegasiLUG as a project for Networking." xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ------------- 2. The bugs: ------------- [1] directory traversal bug: the program doesn't check for malicious patterns like "/../", so an attacker is able to navigate through the system simply using a browser. [2] cross site scripting bug: the user input strings are not filtered and they will appear in the returned page. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ------------- 3. The code: ------------- To test the vulnerabilities: [1] http://[host]:8080/../../../../etc/passwd or: http://[host]:8080/../ [2] http://[host]:8080/<script>alert("Test")</script> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ------------ 4. The fix: ------------ No fix. The email addresses provided on the official website seem don't work. If you want, you can use my following little patch, that should fix the bugs for this version of Pegasi Web Server: ... .. . ( line: 30 of FileFinder.java ) FileFinder(String httpURIPath) { /* start of patch for [1] */ boolean done = false; for(int z = 0; z < httpURIPath.length()-1; z++){ if( httpURIPath.charAt(z) == '.' && httpURIPath.charAt(z+1) == '.'){ this.status = -1; done = true; } } if( done == true ) return; /* end of patch for [1] */ . .. ... - - - - - ... .. . ( line: 233 of Connection.java ) /* start of patch for [2] */ case -1: /* nothing found */ { Misc.putSysMessage(0,"Requested file was NOT found."); output.outputError(404, " "); //before "output.outputError(404,httpURI);" break; } /* end of patch for [2] */ . .. ... xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx