TUCoPS :: Web :: Servers :: web5532.htm

GoAhead Web Server Directory Traversal + Cross Site Scripting
11th Jul 2002 [SBWID-5532]
COMMAND

	GoAhead Web Server Directory Traversal + Cross Site Scripting

SYSTEMS AFFECTED

	GoAhead Web Server v2.1

PROBLEM

	In  Matt   Moore   [matt@westpoint.ltd.uk]   advisory   [ID#:wp-02-0001]
	[http://www.westpoint.ltd.uk] :
	

	 Cross Site Scripting via 404 messages.

	 --------------------------------------

	

	GoAhead quotes back the requested URL when responding with a 404.  Hence
	it is possible to perform cross-site scripting attacks, e.g:
	

	GoAhead-server/SCRIPTalert(document.domain)/SCRIPT

	

	 Read arbitrary files from the server running GoAhead(Directory Traversal)

	 -------------------------------------------------------------------------

	

	GoAhead is vulnerable to a directory traversal bug. A request such as
	

	GoAhead-server/../../../../../../../ 

	

	results in an error message \'Cannot open URL\'.
	

	However, by encoding the \'/\' character, it is possible  to  break  out
	of the web root and read  arbitrary  files  from  the  server.  Hence  a
	request like:
	

	GoAhead-server/..%5C..%5C..%5C..%5C..%5C..%5C/winnt/win.ini 

	

	returns thecontents of the win.ini file.

SOLUTION

	None yet

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH