Directory traversal using specially crafted HTTP headers
Bug #959477 reported by
Corbin
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
HTTPy |
Fix Released
|
Critical
|
Corbin |
Bug Description
Modern web browsers ignore "../" in the URL, and just send the request without them, making the server seem secure. But sending requests to the server without a web browser allows you to put anything in the headers that you want.
Using python sockets, I was able to get a copy of the host's /etc/passwd file. My header was quite simple:
"GET /../../
And the server simply responded with a "200 OK" header, and the host's /etc/passwd file.
If the daemon is running as root, an attacker will be able to look at virtually any file in the file system. This is a serious problem, and should be addressed before the first release of HTTPy.
description: | updated |
description: | updated |
visibility: | private → public |
Changed in httpy: | |
status: | New → Confirmed |
Changed in httpy: | |
status: | Confirmed → Fix Committed |
Changed in httpy: | |
importance: | High → Critical |
Changed in httpy: | |
status: | Confirmed → Fix Released |
To post a comment you must log in.
The "fix" in revision 8 did not fix it at all. An attacker has to use "....//" instead of "../" and it is vulnerable again. Reopening.