http Server Read Access
Updated 2/9/01
Impact
The web server allows remote users to read arbitrary
files on the system. If the password or shadow file
can be read, the attacker could crack account passwords
and gain access to the system.
Background
Web servers normally service requests for files under
their document root directory. For example, if server
has its root directory in /var/www/htdocs, and
it receives a request for http://server/page.html,
it sends the file /var/www/htdocs/page.html back
to the client.
The Problem
Operating systems allow path names to refer to a parent
directory using the "../" string. An attacker
could attempt to exploit this feature to retrieve files
from directories outside of the document root directory.
Most web servers remove the "../" strings
from requested URLs. However, some web servers can still
be exploited by using three dots instead of two (".../")
or by including backslash characters ("\../" or "..\").
Others can be tricked into accepting a "../" by encoding the dots into
their hexadecimal ASCII representation. Thus a pathname
including one or more instances of the string
"%2E%2E/" could be used to retrieve arbitrary
files from the server.
Related CVE entries:
CVE 2000-0920 BOA web server
CVE 2001-0189 LocalWEB2000
CVE 2001-0462 Perl web server
CVE 2001-0467 RobTex Viking
CVE 2001-0495 DataWizard WebXQ
CVE 2001-0574 MP3Mystic
CVE 2001-0615 Faust Informatics Freestyle chat server
CVE 2001-0982 IBM Tivoli WebSEAL Policy Director
Resolutions
Contact the vendor of the web server for a fix. If
a fix is unavailable, it would be advisable to choose
a different web server.
Where can I read more about this?
For an example of this vulnerability, see
Bugtraq
and CORE-SDI.