Donato Ferrante Application: RaidenHTTPD http://www.raidenhttpd.com/ Version: 1.1.27 Bug: directory traversal Date: 05-Feb-2005 Author: Donato Ferrante e-mail: fdonato@autistici.org web: www.autistici.org/fdonato xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 1. Description 2. The bug 3. The code 4. The fix xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ---------------- 1. Description: ---------------- Vendor's Description: "RaidenHTTPD is a full featured web server software for Windows 98/Me/ 2000/XP/2003 platforms." xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ------------ 2. The bug: ------------ The program by default has some checks to avoid malicious patterns like "/../" into http requests, but the program doesn't well manage the initial "/" into requests. In fact if you send a request like: > GET /somefile HTTP/1.1 the webserver will return the requested file if available in the DocumentRoot directory. But if you send a request like: > GET somefile HTTP/1.1 the webserver will return the requested file if available in the disk partition where the httpd is installed. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ------------- 3. The code: ------------- To test the vulnerability, send a raw http request to the server like: GET windows/system.ini HTTP/1.1 Host: localhost this will display Windows' system.ini, if the http server is installed on the same partition of Windows. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ------------ 4. The fix: ------------ Vendor was contacted. Bug fixed in the version 1.1.31. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx