Hey, I was testing SHTTPD and found some problems I want to report. Note that I tested only the 1.38 version on Windows so some of the bugs or some exploitaion methods could not work on other platforms. The following are the details of the problems:
---------------------- A] directory traversal ---------------------- Using the "..\" pattern is possible to download any file in the disk on which is located the web root directory. -------------------------------------- B] scripts and CGI viewing/downloading -------------------------------------- Any script or CGI in the server can be viewed/downloaded instead of being executed simply adding the chars '+', '.', %20 (this one reported by Shay priel in the summer 2007), %2e and any other byte (in hex format too) major than 0x7f to the requested filename. --- For testing them: A] http://SERVER/..\..\..\boot.ini http://SERVER/..\%2e%2e%5c..\boot.ini B] http://SERVER/file.php+ http://SERVER/file.php. http://SERVER/file.php%20 http://SERVER/file.php%80 BYEZ --- Luigi Auriemma http://aluigi.org ------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4 _______________________________________________ shttpd-general mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shttpd-general
