linux, säkerhet

5336306 2000-08-07  08:57  /19 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <12069>
Markerad av 2 personer.
Ärende: Dangerous Java/Netscape Security Hole
------------------------------------------------------------
From: Dan Brumleve <dan+security@BRUMLEVE.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20000805020429.11774.qmail@securityfocus.com>

Dear BugTraq,

I've found some security holes in Java and Netscape
that allow arbitrary network access and read-access
for local files and directories.  As a demonstration
I've written Brown Orifice HTTPD, a web server and file
sharing tool that runs in Netscape Communicator on all
tested platforms.  For more information, see:

http://www.brumleve.com/BrownOrifice

--
Dan Brumleve <dan+security@brumleve.com>
(5336306) ------------------------------------------
Kommentar i text 5336313
Kommentar i text 5336961 av Rikard Bosnjakovic (blev ingen Cendiot)
Kommentar i text 5342828 av Brevbäraren (som är implementerad i) Python
Läsa nästa kommentar.
5342828 2000-08-08  18:11  /48 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <12113>
Kommentar till text 5336306 av Brevbäraren (som är implementerad i) Python
Extra kopia: Plötsliga lustigheter <3830>
    Sänt:     2000-08-08 23:31
    Sänt av David Hedbor (Real Networks)
Markerad av 1 person.
Ärende: Brown Orifice HTTPD Directory Traversal Vulnerability (was Re:
------------------------------------------------------------
 Dangerous Java/Netscape Security Hole)
From: "TAKAGI, Hiromitsu" <takagi@ETL.GO.JP>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <39900E4D185.7F0DTAKAGI@java-house.etl.go.jp>

=====================================================
Brown Orifice HTTPD Directory Traversal Vulnerability
=====================================================

Background
----------
  Brown Orifice HTTPD (BOHTTPD) <http://www.brumleve.com/BrownOrifice/>
  is "a web server and file sharing tool" that runs as a Java Applet in
  Netscape Navigator.(*1)  It was written by Dan Brumleve and was
  announced in BugTraq a few days ago.

Problem Description
-------------------
  Brumleve's demonstration page politely asks users to specify a
  directory on their computer for public access. However, by specifying
  "\.." in HTTP requests to the server, an attacker can navigate the
  server's file system and view/download any files. For example,
      http://your-ip-address:8080/C:/temp/\../
  or
      http://your-ip-address:8080/C:/temp/%5C../ (for Internet Explorer
      as a client)
  will display the contents of the root directory of C: drive of the
  server's computer.

Affected versions and platforms
-------------------------------
  This bug has been verified to be present on the BOHTTPD 0.1 in
  Netscape Navigator 4.72 for Windows.

Workaround
----------
  Do not use BOHTTPD.  :-)


(*1) This is also a security hole per se, as you know.

Regards,
--
Hiromitsu Takagi
Electrotechnical Laboratory
http://www.etl.go.jp/~takagi/
(5342828) ------------------------------------------

5347530 2000-08-09  20:29  /45 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <12129>
Kommentar till text 5342828 av Brevbäraren (som är implementerad i) Python
Ärende: Re: Brown Orifice HTTPD Directory Traversal Vulnerability (was
------------------------------------------------------------
 Re: Dangerous Java/Netscape Security Hole)
From: "Michael H. Warfield" <mhw@WITTSEND.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20000808121505.C18696@alcove.wittsend.com>

On Tue, Aug 08, 2000 at 10:42:37PM +0900, TAKAGI, Hiromitsu wrote:
	[...]

> Problem Description
> -------------------
>   Brumleve's demonstration page politely asks users to specify a
>   directory on their computer for public access. However, by specifying
>   "\.." in HTTP requests to the server, an attacker can navigate the
>   server's file system and view/download any files. For example,
>       http://your-ip-address:8080/C:/temp/\../
>   or
>       http://your-ip-address:8080/C:/temp/%5C../ (for Internet Explorer
>       as a client)
>   will display the contents of the root directory of C: drive of the
>   server's computer.

> Affected versions and platforms
> -------------------------------
>   This bug has been verified to be present on the BOHTTPD 0.1 in
>   Netscape Navigator 4.72 for Windows.

	This does not appear to be effective against Netscape Communicator
4.74 on Linux.  I get permission denied for any plain ".." in the path
anywhere and anything with "\.." or "%5c.." gets a Java runtime error
complaining that the directory "\.." was not found.

> Workaround
> ----------
>   Do not use BOHTTPD.  :-)

	:-)

	Mike
--
 Michael H. Warfield    |  (770) 985-6132   |  mhw@WittsEnd.com
  (The Mad Wizard)      |  (770) 331-2437   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!
(5347530) ------------------------------------------