Directory traversal using specially crafted HTTP headers
Bug #959477 reported by
Corbin
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| HTTPy |
Fix Released
|
Critical
|
Corbin | ||
Bug Description
Modern web browsers ignore "../" in the URL, and just send the request without them, making the server seem secure. But sending requests to the server without a web browser allows you to put anything in the headers that you want.
Using python sockets, I was able to get a copy of the host's /etc/passwd file. My header was quite simple:
"GET /../../
And the server simply responded with a "200 OK" header, and the host's /etc/passwd file.
If the daemon is running as root, an attacker will be able to look at virtually any file in the file system. This is a serious problem, and should be addressed before the first release of HTTPy.
| description: | updated |
| description: | updated |
| visibility: | private → public |
| Changed in httpy: | |
| status: | New → Confirmed |
| Changed in httpy: | |
| status: | Confirmed → Fix Committed |
Revision history for this message
| Corbin (corbin) wrote | #1 |
| Changed in httpy: | |
| status: | Fix Committed → Confirmed |
| Changed in httpy: | |
| importance: | High → Critical |
Revision history for this message
| Corbin (corbin) wrote | #2 |
| Changed in httpy: | |
| status: | Confirmed → Fix Released |
To post a comment you must log in.
The "fix" in revision 8 did not fix it at all. An attacker has to use "....//" instead of "../" and it is vulnerable again. Reopening.