8711542 2002-07-10 11:59 +0100 /80 rader/ Matt Moore <matt@westpoint.ltd.uk> Sänt av: joel@lysator.liu.se Importerad: 2002-07-10 18:44 av Brevbäraren Extern mottagare: bugtraq <bugtraq@securityfocus.com> Mottagare: Bugtraq (import) <23009> Ärende: wp-02-0001: GoAhead Web Server Directory Traversal + Cross Site Scripting ------------------------------------------------------------ From: Matt Moore <matt@westpoint.ltd.uk> To: bugtraq <bugtraq@securityfocus.com> Message-ID: <3D2C1379.3030405@westpoint.ltd.uk> Westpoint Security Advisory Title: GoAhead Web Server Directory Traversal + Cross Site Scripting Risk Rating: Medium Software: GoAhead Web Server v2.1 Platforms: Windows NT/98/95/CE Embedded Linux Linux QNX Novell Netware + others Vendor URL: www.goahead.com/webserver/webserver.htm Author: Matt Moore <matt@westpoint.ltd.uk> Date: 10th July 2002 Advisory ID#: wp-02-0001 Overview: ========= GoAhead is an open source 'embedded' web server. Apparently used in various networking devices from several blue chip companies. ( http://www.goahead.com/webserver/customers.htm ) Details: ======== Cross Site Scripting via 404 messages. -------------------------------------- GoAhead quotes back the requested URL when responding with a 404. Hence it is possible to perform cross-site scripting attacks, e.g: GoAhead-server/SCRIPTalert(document.domain)/SCRIPT Read arbitrary files from the server running GoAhead(Directory Traversal) ------------------------------------------------------------------------- GoAhead is vulnerable to a directory traversal bug. A request such as GoAhead-server/../../../../../../../ results in an error message 'Cannot open URL'. However, by encoding the '/' character, it is possible to break out of the web root and read arbitrary files from the server. Hence a request like: GoAhead-server/..%5C..%5C..%5C..%5C..%5C..%5C/winnt/win.ini returns the contents of the win.ini file. Vendor Response: ================ I was unable to obtain any response from GoAhead technical support regarding the identified issues. Patch Information: ================== No vendor response, so unsure if fixed version available. Security History: ================= http://www.securiteam.com/securitynews/5QP010U3FS.html - Directory Traversal http://www.securiteam.com/securitynews/5IP0E2K41I.html - Denial of Service http://www.securiteam.com/windowsntfocus/5LP040A3RS.html - Denial of Service This advisory is available online at: http://www.westpoint.ltd.uk/advisories/wp-02-0001.txt (8711542) /Matt Moore <matt@westpoint.ltd.uk>/(Ombruten)