Home page logo

bugtraq logo Bugtraq mailing list archives

Re: [Tclhttpd-users] Re: TCLHttpd Server - Multiple Vulnerabilities
From: Brent Welch <welch () panasas com>
Date: Wed, 24 Sep 2003 13:39:07 -0700

Here is the patch for the dirlist.tcl bug
Please note also that with this bug you can see a
directory listing, but you cannot fetch any files that
you might be able to see.  The server running at www.tcl.tk
has had this patch applied to it.

*** dirlist.tcl 4 Apr 2003 04:10:54 -0000       1.10
--- dirlist.tcl 24 Sep 2003 20:32:28 -0000
*** 174,180 ****
      set path [file split $dir]

      # Filter pattern to avoid leaking path information
!     regsub -all {\.\./} $pattern {} pattern

      set list [glob -nocomplain -- [file join $dir $pattern]]
      if {[llength $path] > 1} {
--- 174,181 ----
      set path [file split $dir]

      # Filter pattern to avoid leaking path information
!     regsub -all {\.+/} $pattern {} pattern
!     set pattern [string trimleft $pattern /]

      set list [glob -nocomplain -- [file join $dir $pattern]]
      if {[llength $path] > 1} {

Michael Schlenker said:
Phuong Nguyen wrote:

Released Date 09/23/2003

TCLHttpd 3.4.2 - Multiple Vulnerabilities

"TclHttpd is used both as a general-purpose Web
server, and as a framework for building server
applications. It implements Tcl (http://www.tcl.tk),
including the Tcl Resource Center and Scriptics'
electronic commerce facilities. It is also
built into several commercial applications such as
license servers and mail spam filters. Instructions
for setting up the TclHttpd on your platform are given
towards the end of the chapter, on page See The
TclHttpd Distribution. It works on Unix, Windows, and
Macintosh. You can have the server up and running

More information at

One should add the sourceforge Project:

Affected Version    : TCLHttpd 3.4.2 (latest) and
probably older builds
Tested Platform             : Linux(x86)

Mutiple flaws in TCLHttpd server which open door for
an attacker to browse any directories on the remote
host, and to inject 

malicious javascript/vbscript content to the user's
browser under the TCLHttpd server context (Cross Site

[Vulnerability #1] Arbitrary Directory Browsing

When a user requests a directory on TCLHttpd server,
httpdthread.tcl will start to look for various default
index file names in that directory, if none can be
found then it will pass the operation to dirlist.tcl
script to do the "fancy" directory listing which
provides users the ability to sort files by modify
date, name, size or file's pattern. Dirlist.tcl script
does filter inputs from the users in order to prevent
directory traversal but it can be easily bypassed if
an absolute path was entered. Directory listing is
enabled by default.

For example: Requesting
http://abc.com/images/?pattern=/*&sort=name will
return you a list of directory under /

Confirmed. This is similar to:

[Vulnerability #2] Cross Site Scripting (XSS)

TCLHttpd web server comes with various modules in
order to increase the flexibility of the server, and
/debug module is enable by default which allows you to
download logging information, debug the Tcl part of
the application without restarting the hosting

Many modules are suffered from the
multiple Cross Site Scripting (XSS) vulnerabilities
that potentially enable a malicious user to "inject"
code into a user's session under TCLHttpd server
context. I'm going to use the /debug module as an


You can eliminate the threats from these
vulnerabilities by editing your httpdthread.tcl and
comment out the directory listing option, also you
should disable the following modules to prevent Cross
Site Scripting: Status, Debug, Mail and Admin.

Michael Schlenker

This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
TclHttpd-users mailing list
TclHttpd-users () lists sourceforge net

Brent Welch
Software Architect, Panasas Inc
Delivering the World's Most Scalable and Agile Storage Network
welch () panasas com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]