COMMAND
AOLserver
SYSTEMS AFFECTED
AOLserver
PROBLEM
Joe Testa found following. A vulnerability exists which allows a
remote user user to break out of the web root using relative paths
(ie: '...').
AOLServer checks the requested virtual path for any double dots
('..'), and returns a 'Not Found' error page if any are present.
However, it does not check for triple dots ('...'). Here is an
example URL:
http://localhost:8000/.../[file outside web root]
Note that this vulnerability has only been tested on the latest
stable release (v3.2) for the Win32 platform.
Microsoft Windows has an undocumented "feature" where '...\' or
'....\' or '......\' point to parent directories. This feature
is obscure un documented enough that almost every single web
server ported to Windows allows viewing of files above the
document root with this feature. In fact, Microsoft's own
personal web server had this problem at one point.
Linux has had similiar problems with undocumented interfaces. It
was discovered about a year ago that by using undocumented calls
that restrict privledges, an attacker could set things up a a SUID
root application could not drop its root privledges.
SOLUTION
No quick fix is possible. America Online was contacted. No reply
was received.
Here's a possible "quick fix" by Michael A. Cleverly. Simply copy
the following Tcl code into a .tcl file in either the servers
private or public Tcl library
(c:\program files\aolserver\modules\tcl in the default Windows
installation) and restart AOLserver.
ns_register_filter preauth GET /* windows_triple_dot_check
ns_register_filter preauth POST /* windows_triple_dot_check
ns_register_filter preauth HEAD /* windows_triple_dot_check
proc windows_triple_dot_check {args} {
if {[string match */...* [ns_conn url]]} {
ns_returnforbidden
return filter_return
} else {
return filter_ok
}
}