8711542 2002-07-10 11:59 +0100  /80 rader/ Matt Moore <matt@westpoint.ltd.uk>
Sänt av: joel@lysator.liu.se
Importerad: 2002-07-10  18:44  av Brevbäraren
Extern mottagare: bugtraq <bugtraq@securityfocus.com>
Mottagare: Bugtraq (import) <23009>
Ärende: wp-02-0001: GoAhead Web Server Directory Traversal + Cross Site Scripting
------------------------------------------------------------
From: Matt Moore <matt@westpoint.ltd.uk>
To: bugtraq <bugtraq@securityfocus.com>
Message-ID: <3D2C1379.3030405@westpoint.ltd.uk>

Westpoint Security Advisory

Title:        GoAhead Web Server Directory Traversal + Cross Site Scripting
Risk Rating:  Medium
Software:     GoAhead Web Server v2.1
Platforms:    Windows NT/98/95/CE
             Embedded Linux
             Linux
             QNX
             Novell Netware + others

Vendor URL:   www.goahead.com/webserver/webserver.htm
Author:       Matt Moore <matt@westpoint.ltd.uk>
Date:         10th July 2002
Advisory ID#: wp-02-0001

Overview:
=========
GoAhead is an open source 'embedded' web server. Apparently used in various
networking devices from several blue chip companies.

( http://www.goahead.com/webserver/customers.htm )

Details:
========

Cross Site Scripting via 404 messages.
--------------------------------------

GoAhead quotes back the requested URL when responding with a
404. Hence it is possible to perform cross-site scripting attacks,
e.g:

GoAhead-server/SCRIPTalert(document.domain)/SCRIPT

Read arbitrary files from the server running GoAhead(Directory
Traversal)
-------------------------------------------------------------------------

GoAhead is vulnerable to a directory traversal bug. A request such as

GoAhead-server/../../../../../../../ results in an error message
'Cannot open URL'.

However, by encoding the '/' character, it is possible to break out
of the web root and read arbitrary files from the server.  Hence a
request like:

GoAhead-server/..%5C..%5C..%5C..%5C..%5C..%5C/winnt/win.ini returns
the contents of the win.ini file.

Vendor Response:
================
I was unable to obtain any response from GoAhead technical support 
regarding
the identified issues.

Patch Information:
==================
No vendor response, so unsure if fixed version available.

Security History:
=================

http://www.securiteam.com/securitynews/5QP010U3FS.html - Directory
Traversal http://www.securiteam.com/securitynews/5IP0E2K41I.html -
Denial of Service
http://www.securiteam.com/windowsntfocus/5LP040A3RS.html - Denial of
Service

This advisory is available online at:

http://www.westpoint.ltd.uk/advisories/wp-02-0001.txt
(8711542) /Matt Moore <matt@westpoint.ltd.uk>/(Ombruten)