COMMAND
SimpleServer:WWW
SYSTEMS AFFECTED
SimpleServer:WWW 1.06 (and possibly previous versions)
PROBLEM
Following is based on a Foundstone by Robin Keir and Stuart
McClure. AnalogX SimpleServer:WWW is a simple but effective web
server designed for the home or small business user. Its main
claim is ease of use and setup.
SimpleServer is vulnerable to a "relative directory path" attack
that allows a remote user to retrieve any known file from the
file system of the server on which it is hosted. In normal use
SimpleServer protects against accessing files above the directory
in which the server is installed. It has been proven to correctly
deny access when using URLs of the following format:
http://www.victim.com/../file.dat
However, by substituting the dot characters with their equivalent
hexadecimal URL encoded format of %2E this restriction is removed,
giving the attacker full read access to any file on the remote
system.
A HTTP request of the form
http://www.victim.com/%2E%2E/file.dat
will succeed in retrieving the file "file.dat" from one directory
level above the server root directory if it exists. Using similar
URL requests it has been shown that any known file on the system
can be retrieved. For example, assuming the default installation
location of SimpleServer a request of the form:
http://www.victim.com/%2E%2E/%2E%2E/windows/user.dat
would retrieve the remote users registry file from a Windows 95/98
machine and this would highly likely contain confidential
information.
Another example here shows that it is possible to retrieve the
log files from the web server directory itself:
http://www.victim.com/%2E%2E/%2E%2E/Program%20Files/AnalogX/SimpleServer/www/server.log
SOLUTION
Download SimpleServer:www version 1.07 from
http://www.analogx.com/contents/download/network/sswww.htm
Prelimiary tests of the fix by Foundstone have confirmed the
problem is corrected.