Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

Multiple Vulnerabilities in PWS 0.2.2
From: "Donato Ferrante" <fdonato () autistici org>
Date: Thu, 11 Mar 2004 12:42:30 -0000
                           Donato Ferrante


Application:  Pegasi Web Server (PWS)
              http://pws.sourceforge.net

Version:      0.2.2

Bugs:         Multiple Vulnerabilities

Author:       Donato Ferrante
              e-mail: fdonato () autistici org
              web:    www.autistici.org/fdonato


xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

1. Description
2. The bugs
3. The code
4. The fix



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

----------------
1. Description:
----------------

Vendor's Description:

"Pegasi Web Server (PWS) is a multithreading Java Web server. It is
written by students at the PegasiLUG as a project for Networking."



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-------------
2. The bugs:
-------------

[1] directory traversal bug: the program doesn't check for malicious
    patterns like "/../", so an attacker is able to navigate through
    the system simply using a browser.


[2] cross site scripting bug: the user input strings are not filtered
    and they will appear in the returned page.



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

-------------
3. The code:
-------------

To test the vulnerabilities:

[1]

http://[host]:8080/../../../../etc/passwd

or:

http://[host]:8080/../


[2]

http://[host]:8080/<script>alert("Test")</script>



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

------------
4. The fix:
------------

No fix.
The email addresses provided on the official website seem don't work.


If you want, you can use my following little patch, that should fix
the bugs for this version of Pegasi Web Server:

        ...
        ..
        .

( line: 30 of FileFinder.java ) FileFinder(String httpURIPath)
{

/* start of patch for [1] */


boolean done = false;

for(int z = 0; z < httpURIPath.length()-1; z++){
  if( httpURIPath.charAt(z) == '.' && httpURIPath.charAt(z+1) == '.'){
       this.status = -1;
       done = true;
  }
}

if( done == true ) return;


/* end of patch for [1] */

        .
        ..
        ...

                          - - - - -
        ...
        ..
        .

( line: 233 of Connection.java )

/* start of patch for [2] */


     case -1:    /* nothing found */
     {
       Misc.putSysMessage(0,"Requested file was NOT found.");
       output.outputError(404, " ");
       //before "output.outputError(404,httpURI);"
       break;
     }

     
/* end of patch for [2] */

      .
      ..
      ...



xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]