Home My Page Projects Code Snippets Project Openings DPWS Core
Summary Activity Forums Tracker Lists Tasks Docs Surveys News SCM Files Mediawiki

[#401] HTTP GET vulnerability on windows

Date:
2013-11-26 14:42
Priority:
3
State:
Open
Submitted by:
André Guérard (andreguerard)
Assigned to:
Stéphane ROUGES (srouges)
Target Fix Version:
none
Product:
DPWS Core
Operating System:
Windows XP
Component:
DCRuntime
Version:
v2.4.0
Severity:
major
Resolution:
Fixed
Hardware:
All
URL:
Summary:
HTTP GET vulnerability on windows

Detailed description
in dcDPWS_HttpGet.c, when DC_WITH_HTTP_GET is set, the function dpws_http_send_file is used to send back a file from the filesystem upon a GET request from the client.
This function use the function build_gz_file_path to build the file path, and at the same time check that requested path is not out of the limits defined by the default folder for http file repository
This security check works fine on Linux, but not on windows (use of '\' instead of '/').

At lines 217/218, replace

if (*src == '.' && (src == path || *(src-1) == '/')) {
if (*(src+1) == '.' && *(src+2) == '/') {
by

if (*src == '.' && (src == path || (*(src-1) == '/') || (*(src-1) == '\\') )) {
if (*(src+1) == '.' && (*(src+2) == '/') || (*(src+2) == '\\')) {
Message  ↓
Date: 2014-02-12 14:34
Sender: Stéphane ROUGES

Fixed in trunk. Preferred to block '\' in file URLs which are obviously an attack.

Field Old Value Date By
ResolutionNone2014-02-12 14:34srouges
assigned_tonone2014-02-11 17:00srouges