COMMAND

    AOLserver

SYSTEMS AFFECTED

    AOLserver

PROBLEM

    Joe Testa found following.  A vulnerability exists which allows  a
    remote user user to break out of the web root using relative paths
    (ie: '...').

    AOLServer checks the  requested virtual path  for any double  dots
    ('..'), and returns a 'Not  Found' error page if any  are present.
    However, it does not check for  triple dots ('...').   Here  is an
    example URL:

        http://localhost:8000/.../[file outside web root]

    Note that this  vulnerability has only  been tested on  the latest
    stable release (v3.2) for the Win32 platform.

    Microsoft Windows  has an  undocumented "feature"  where '...\' or
    '....\' or '......\' point to  parent directories.   This  feature
    is  obscure  un  documented  enough  that  almost every single web
    server  ported  to  Windows  allows  viewing  of  files  above the
    document  root  with  this  feature.   In  fact,  Microsoft's  own
    personal web server had this problem at one point.

    Linux has had similiar problems with undocumented interfaces.   It
    was discovered about a year  ago that by using undocumented  calls
    that restrict privledges, an attacker could set things up a a SUID
    root application could not drop its root privledges.

SOLUTION

    No quick fix is possible.  America Online was contacted.  No reply
    was received.

    Here's a possible "quick fix" by Michael A. Cleverly.  Simply copy
    the following  Tcl code  into a  .tcl file  in either  the servers
    private          or          public          Tcl           library
    (c:\program  files\aolserver\modules\tcl  in  the  default Windows
    installation) and restart AOLserver.

    ns_register_filter preauth GET  /* windows_triple_dot_check
    ns_register_filter preauth POST /* windows_triple_dot_check
    ns_register_filter preauth HEAD /* windows_triple_dot_check

    proc windows_triple_dot_check {args} {
        if {[string match */...* [ns_conn url]]} {
            ns_returnforbidden
            return filter_return
        } else {
            return filter_ok
        }
    }