Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » GoAhead Web Server Directory Traversal + Cross Site Scripting

GoAhead Web Server Directory Traversal + Cross Site Scripting

by Nikola Strahija on July 11th, 2002 GoAhead is an open source 'embedded' web server. Apparently used in various networking devices from several blue chip companies. ( http://www.goahead.com/webserver/customers.htm )


Details:
========


Cross Site Scripting via 404 messages.
--------------------------------------


GoAhead quotes back the requested URL when responding with a 404. Hence it
is possible to perform cross-site scripting attacks, e.g:


GoAhead-server/SCRIPTalert(document.domain)/SCRIPT


Read arbitrary files from the server running GoAhead(Directory Traversal)
-------------------------------------------------------------------------


GoAhead is vulnerable to a directory traversal bug. A request such as


GoAhead-server/../../../../../../../ results in an error message
'Cannot open URL'.


However, by encoding the '/' character, it is possible to break out of the
web root and read arbitrary files from the server.
Hence a request like:


GoAhead-server/..%5C..%5C..%5C..%5C..%5C..%5C/winnt/win.ini returns the
contents of the win.ini file.


Vendor Response:
================
I was unable to obtain any response from GoAhead technical support regarding
the identified issues.


Patch Information:
==================
No vendor response, so unsure if fixed version available.


Security History:
=================


http://www.securiteam.com/securitynews/5QP010U3FS.html - Directory Traversal
http://www.securiteam.com/securitynews/5IP0E2K41I.html - Denial of Service
http://www.securiteam.com/windowsntfocus/5LP040A3RS.html - Denial of Service


This advisory is available online at:


http://www.westpoint.ltd.uk/advisories/wp-02-0001.txt







Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »