Skip Menu |
 

This queue is for tickets about the HTTP-Server-Simple-Static CPAN distribution.

Report information
The Basics
Id: 123178
Status: open
Priority: 0/
Queue: HTTP-Server-Simple-Static

People
Owner: sjq-perl [...] jadevine.org.uk
Requestors: PERLMAX [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

Attachments


Subject: HTTP::Server::Simple::Static is vulnerable for Path traversal attack
Download (untitled) / with headers
text/plain 273b
Hello, I noticed, that HTTP::Server::Simple::Static is vulnerable for Path traversal attacks. I tested on my local machine the following path: http://localhost:8080/files%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd and could read my /etc/passwd :-( Best wishes, Max
Download (untitled) / with headers
text/plain 552b
I've tried to reproduce the problem with version 0.12 but so far have failed. Which version of the module are you using? Could you provide some small example code which has the problem? Regards, Stephen Quinney On Mon Oct 02 18:52:05 2017, PERLMAX wrote: Show quoted text
> Hello, > > I noticed, that HTTP::Server::Simple::Static is vulnerable for Path > traversal attacks. I tested on my local machine the following path: > http://localhost:8080/files%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd > and could read my /etc/passwd :-( > > Best wishes, > Max
Download (untitled) / with headers
text/plain 783b
Hello, I use HTTP::Server::Simple::Static version 0.12 and HTTP::Server::Simple version 0.510.0 from Mageia Linux 6. My test script is easy: package MyServer; use base qw(HTTP::Server::Simple::CGI); use HTTP::Server::Simple::Static; my $webroot = '/home/maximilian/public_html/static/static'; sub handle_request { my ( $self, $cgi ) = @_; if ( !$self->serve_static( $cgi, $webroot ) ) { print "HTTP/1.0 404 Not found\r\n"; print $cgi->header, $cgi->start_html('Not found'), $cgi->h1('Not found'), $cgi->end_html; } } package main; my $server = MyServer->new(); $server->run(); The server runs under my personal account, which of course has the permission to read /etc/passwd... Best wishes, Max
Thanks for the code, this is all very puzzling, I still cannot make it work for me. Attached is a proposed version 0.13 which does the path processing in a different way which should be safer. Regards, Stephen On Wed Oct 04 13:11:36 2017, PERLMAX wrote: Show quoted text
> Hello, > > I use HTTP::Server::Simple::Static version 0.12 and > HTTP::Server::Simple version 0.510.0 from Mageia Linux 6. > > My test script is easy: > > package MyServer; > > use base qw(HTTP::Server::Simple::CGI); > use HTTP::Server::Simple::Static; > > my $webroot = '/home/maximilian/public_html/static/static'; > > sub handle_request { > my ( $self, $cgi ) = @_; > > if ( !$self->serve_static( $cgi, $webroot ) ) { > print "HTTP/1.0 404 Not found\r\n"; > print $cgi->header, > $cgi->start_html('Not found'), > $cgi->h1('Not found'), > $cgi->end_html; > } > } > > package main; > > my $server = MyServer->new(); > $server->run(); > > The server runs under my personal account, which of course has the > permission to read /etc/passwd... > > Best wishes, > Max
Subject: HTTP-Server-Simple-Static-0.13.tar.gz

Message body not shown because it is not plain text.

Download (untitled) / with headers
text/plain 509b
Dear Stephen, Thank you very much for your help. Unfortunately the problem still occurs. It is really curious. I did a little debugging and printed $realpath and $base. This is the output: REALPATH /home/maximilian/public_html/static/static/favicon.ico BASE /home/maximilian/public_html/static/static /home/maximilian/public_html/static/static/favicon.ico doesn't exist. And I requested for http://localhost:8080/files%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd, not /favicon.ico... Best wishes, Max
Download (untitled) / with headers
text/plain 733b
A web browser may attempt to fetch the favicon.ico so that it can display the icon image for a page before requesting the actual page. Stephen On Wed Oct 04 14:23:02 2017, PERLMAX wrote: Show quoted text
> Dear Stephen, > Thank you very much for your help. Unfortunately the problem still > occurs. It is really curious. I did a little debugging and printed > $realpath and $base. This is the output: > > REALPATH /home/maximilian/public_html/static/static/favicon.ico > BASE /home/maximilian/public_html/static/static > > /home/maximilian/public_html/static/static/favicon.ico doesn't exist. > And I requested for > http://localhost:8080/files%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd, > not /favicon.ico... > > Best wishes, > Max
Download (untitled) / with headers
text/plain 1.1k
I've tried to replicate your setup as closely as possible with a base directory of /home/stephen/public_html/static/static Making a request to http://localhost:8080/%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd gives: BASE /home/stephen/public_html/static/static REQUEST PATH //../../../../../../etc/passwd UNESCAPED PATH //../../../../../../etc/passwd FULLPATH /home/stephen/public_html/static/static/../../../../../../etc/passwd REALPATH /etc/passwd Note that this maps to a realpath of /etc/passwd but it then goes on to return a "Not Found" to the browser for me. Stephen On Wed Oct 04 14:23:02 2017, PERLMAX wrote: Show quoted text
> Dear Stephen, > Thank you very much for your help. Unfortunately the problem still > occurs. It is really curious. I did a little debugging and printed > $realpath and $base. This is the output: > > REALPATH /home/maximilian/public_html/static/static/favicon.ico > BASE /home/maximilian/public_html/static/static > > /home/maximilian/public_html/static/static/favicon.ico doesn't exist. > And I requested for > http://localhost:8080/files%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd, > not /favicon.ico... > > Best wishes, > Max
Download (untitled) / with headers
text/plain 386b
Dear Stephen, oh, sorry, version 0.13 does work for me, too! I forgot to delete the cache of my browser, so that the old /etc/passwd was delivered even after the update of HTTP::Server::Simple::Static! In 0.13 I get "Not found", too. But 0.12 still is broken for me, so that your offered patch is important for me. Sorry for giving a false feedback... Thanks for your fast help, Max
Download (untitled) / with headers
text/plain 572b
That's good news, thanks for testing the new version, I will aim to get that shipped out fairly soon. Stephen On Wed Oct 04 17:28:09 2017, PERLMAX wrote: Show quoted text
> Dear Stephen, > > oh, sorry, version 0.13 does work for me, too! I forgot to delete the > cache of my browser, so that the old /etc/passwd was delivered even > after the update of HTTP::Server::Simple::Static! > > In 0.13 I get "Not found", too. But 0.12 still is broken for me, so > that your offered patch is important for me. > > Sorry for giving a false feedback... > > Thanks for your fast help, > Max


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.