Two vulnerabilities in Simple HTTPD 1.38

#######################################################################

                             Luigi Auriemma

Application:  Simple HTTPD

Versions:     <= 1.38

Platforms:    Windows, *nix, QNX, RTEMS

              only Windows seems vulnerable

Bugs:         A] directory traversal

              B] scripts and CGI viewing/downloading

                 (%20 char found by Shay priel in Jun 2007)

Exploitation: remote

Date:         07 Dec 2007

Author:       Luigi Auriemma

              e-mail: [email protected]

              web:    aluigi.org

1) Introduction

2) Bugs

3) The Code

4) Fix

===============

Simple HTTPD (shttpd) is an open source web server created for embedded

systems.

=======

----------------------

A] directory traversal

Using the "../" pattern is possible to download any file in the disk on

which is located the web root directory.

--------------------------------------

B] scripts and CGI viewing/downloading

Any script or CGI in the server can be viewed/downloaded instead of

being executed simply appending the chars '+', '.', %20 (this one

reported by Shay priel in the summer 2007), %2e and any other byte (in

hex format too) major than 0x7f to the requested filename.

Note that only Windows seems vulnerable to the above bugs.

===========

A]

<a href="http://server/../../../boot.ini">http://SERVER/../../../boot.ini</a>

<a href="http://server/../..%5C../boot.ini">http://SERVER/../%2e%2e%5c../boot.ini</a>

B]

<a href="http://server/file.php+">http://SERVER/file.php+</a>

<a href="http://server/file.php%80">http://SERVER/file.php%80</a>

<a href="http://server/file.php%FF">http://SERVER/file.php%ff</a>

======

I have posted the problems in the shttpd-general mailing-list but there

is no reply yet: