Vulnerability

    GoAhead WebServer

Affected

    GoAhead WebServer v.2.0 and v.2.1.

Description

    Sergey  Nenashev  found  following.   He  has  found  a bug in the
    GoAhead WebServer,  v.2.0 and  v.2.1.   Attacker can  get any file
    from  the  drive,  where  web-server  was  installed.   Try follow
    request:

        http://www.somehost.com/..\..\..\..\..\..\autoexec.bat

    This vulnerability may allow an attacker to execute code with  the
    privileges of the GoAhead ( Administrator? or root? )

        http://www.somehost.com/cgi-bin/..\..\..\..\..\..\winnt\system32\cmd.exe?/c+dir+c:\

Solution

    Patch for this vulnerability:

    in file: url.c
    in function websUrlParse(...)
    
    int websUrlParse(char_t *url, char_t **pbuf, char_t **phost, char_t **ppath,
            char_t **pport, char_t **pquery, char_t **pproto, char_t **ptag,
            char_t **pext)
    {
            char_t          *tok, *cp, *host, *path, *port, *proto, *tag, *query, *ext, *slash;
            char_t          *last_delim, *hostbuf, *portbuf, *buf;
            int                     c, len, ulen;
    
            a_assert(url);
            a_assert(pbuf);
    
            ulen = gstrlen(url);
    
    /*
     *      Deny directory traversal vulnerability
     */
    
            while((slash = strchr(url, '\\')) != NULL) {
                            *slash = '/';
            }
    
    /*
     *      We allocate enough to store separate hostname and port number fields.
     *      As there are 3 strings in the one buffer, we need room for 3 null chars.
     *      We allocate MAX_PORT_LEN char_t's for the port number.
     */