Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Servers :: savant~1.htm

Savant WWW url-encoded characters filtering problem



Vulnerability

    Savant WWW

Affected

    Savant WWW Unicode version 2.1

Description

    Following is based  on a Hexyn/Securax  Advisory #18.   Savant WWW
    Server is an HTTP server for Windows 9x/NT.  A bug allows any user
    to change  to any  directory, and  in most  cases, execute  MS-DOS
    commands.

    Savant filters "/.." out of the string, but forgets "%2f..".

        http://www.testserver.com/%2f..%2f..%2f../

        HTTP Directory of //../../../
        <directory listing of c:\>

    - When the user does  not know a directory which  allows listings,
      one  cannot  get  a  listing,  but  one  can still download know
      files.
    - When the user know  a directory which allows CGI-execution,  one
      can execute MS-DOS commands using:

        http://www.test_server.com/cgi-bin/%2f..%2f..%2f../cmd.exe?+/c+dir

    Bug discovered by t-Omicr0n.

Solution

    At this time, no patch is available yet.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH