|
Vulnerability AOLserver Affected AOLserver Description Joe Testa found following. A vulnerability exists which allows a remote user user to break out of the web root using relative paths (ie: '...'). AOLServer checks the requested virtual path for any double dots ('..'), and returns a 'Not Found' error page if any are present. However, it does not check for triple dots ('...'). Here is an example URL: http://localhost:8000/.../[file outside web root] Note that this vulnerability has only been tested on the latest stable release (v3.2) for the Win32 platform. Microsoft Windows has an undocumented "feature" where '...\' or '....\' or '......\' point to parent directories. This feature is obscure un documented enough that almost every single web server ported to Windows allows viewing of files above the document root with this feature. In fact, Microsoft's own personal web server had this problem at one point. Linux has had similiar problems with undocumented interfaces. It was discovered about a year ago that by using undocumented calls that restrict privledges, an attacker could set things up a a SUID root application could not drop its root privledges. Solution No quick fix is possible. America Online was contacted. No reply was received. Here's a possible "quick fix" by Michael A. Cleverly. Simply copy the following Tcl code into a .tcl file in either the servers private or public Tcl library (c:\program files\aolserver\modules\tcl in the default Windows installation) and restart AOLserver. ns_register_filter preauth GET /* windows_triple_dot_check ns_register_filter preauth POST /* windows_triple_dot_check ns_register_filter preauth HEAD /* windows_triple_dot_check proc windows_triple_dot_check {args} { if {[string match */...* [ns_conn url]]} { ns_returnforbidden return filter_return } else { return filter_ok } }