![[LWN Logo]](/images/lcorner.png) |
|
![[Timeline]](/images/Included.png) |
Date: Tue, 8 Aug 2000 22:42:37 +0900
From: "TAKAGI, Hiromitsu" <takagi@ETL.GO.JP>
Subject: Brown Orifice HTTPD Directory Traversal Vulnerability (was Re:
To: BUGTRAQ@SECURITYFOCUS.COM
=====================================================
Brown Orifice HTTPD Directory Traversal Vulnerability
=====================================================
Background
----------
Brown Orifice HTTPD (BOHTTPD) <http://www.brumleve.com/BrownOrifice/>
is "a web server and file sharing tool" that runs as a Java Applet in
Netscape Navigator.(*1) It was written by Dan Brumleve and was
announced in BugTraq a few days ago.
Problem Description
-------------------
Brumleve's demonstration page politely asks users to specify a
directory on their computer for public access. However, by specifying
"\.." in HTTP requests to the server, an attacker can navigate the
server's file system and view/download any files. For example,
http://your-ip-address:8080/C:/temp/\../
or
http://your-ip-address:8080/C:/temp/%5C../ (for Internet Explorer
as a client)
will display the contents of the root directory of C: drive of the
server's computer.
Affected versions and platforms
-------------------------------
This bug has been verified to be present on the BOHTTPD 0.1 in
Netscape Navigator 4.72 for Windows.
Workaround
----------
Do not use BOHTTPD. :-)
(*1) This is also a security hole per se, as you know.
Regards,
--
Hiromitsu Takagi
Electrotechnical Laboratory
http://www.etl.go.jp/~takagi/