Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Servers :: goahead1.htm

GoAhead WebServer v.2.0 and v.2.1. Directory traversal vulnerability

    GoAhead WebServer


    GoAhead WebServer v.2.0 and v.2.1.


    Sergey  Nenashev  found  following.   He  has  found  a bug in the
    GoAhead WebServer,  v.2.0 and  v.2.1.   Attacker can  get any file
    from  the  drive,  where  web-server  was  installed.   Try follow

    This vulnerability may allow an attacker to execute code with  the
    privileges of the GoAhead ( Administrator? or root? )\..\..\..\..\..\winnt\system32\cmd.exe?/c+dir+c:\


    Patch for this vulnerability:

    in file: url.c
    in function websUrlParse(...)
    int websUrlParse(char_t *url, char_t **pbuf, char_t **phost, char_t **ppath,
            char_t **pport, char_t **pquery, char_t **pproto, char_t **ptag,
            char_t **pext)
            char_t          *tok, *cp, *host, *path, *port, *proto, *tag, *query, *ext, *slash;
            char_t          *last_delim, *hostbuf, *portbuf, *buf;
            int                     c, len, ulen;
            ulen = gstrlen(url);
     *      Deny directory traversal vulnerability
            while((slash = strchr(url, '\\')) != NULL) {
                            *slash = '/';
     *      We allocate enough to store separate hostname and port number fields.
     *      As there are 3 strings in the one buffer, we need room for 3 null chars.
     *      We allocate MAX_PORT_LEN char_t's for the port number.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH