On Tue, 6 Feb 2001 [EMAIL PROTECTED] wrote:

> Vulnerability in AOLserver
>     Overview
> AOLserver v3.2 is a web server available from http://www.aolserver.com.
> A vulnerability exists which allows a remote user user to break out of the
> web root using relative paths (ie: '...').
>     Details
> AOLServer checks the requested virtual path for any double dots ('..'),
> and returns a 'Not Found' error page if any are present.  However, it
> does not check for triple dots ('...').  Here is an example URL:
>         http://localhost:8000/.../[file outside web root]
> Note that this vulnerability has only been tested on the latest stable
> release (v3.2) for the Win32 platform.
>     Solution
> No quick fix is possible.
>     Vendor Status
> America Online, Inc. was contacted via http://www.aolserver.com/feedback/
> on Tuesday, January 30, 2001.  No reply was received.

Here's a possible "quick fix".  It took me five minutes, but that was just
because I had to download AOLserver for Windoze and install it.  Simply
copy the following Tcl code into a .tcl file in either the servers private
or public Tcl library (c:\program files\aolserver\modules\tcl in the
default Windows installation) and restart AOLserver.

#### cut here ####

    ns_register_filter preauth GET  /* windows_triple_dot_check
    ns_register_filter preauth POST /* windows_triple_dot_check
    ns_register_filter preauth HEAD /* windows_triple_dot_check

    proc windows_triple_dot_check {args} {
        if {[string match */...* [ns_conn url]]} {
            return filter_return
        } else {
            return filter_ok

#### cut here ####


Michael A. Cleverly

Reply via email to