Skip Menu |

This queue is for tickets about the HTTP-Server-Simple-Static CPAN distribution.

Report information
The Basics
Id: 123178
Status: open
Priority: 0/
Queue: HTTP-Server-Simple-Static
People
Owner: sjq-perl [...] jadevine.org.uk
Requestors: PERLMAX [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)
Attachments
HTTP-Server-Simple-Static-0.13.tar.gz

History Show all quoted text
  Mon Oct 02 18:52:05 2017 PERLMAX [...] cpan.org - Ticket created
Subject: HTTP::Server::Simple::Static is vulnerable for Path traversal attack
Hello, I noticed, that HTTP::Server::Simple::Static is vulnerable for Path traversal attacks. I tested on my local machine the following path: http://localhost:8080/files%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd and could read my /etc/passwd :-( Best wishes, Max
  Wed Oct 04 11:21:27 2017 sjq-perl [...] jadevine.org.uk - Correspondence added
I've tried to reproduce the problem with version 0.12 but so far have failed. Which version of the module are you using? Could you provide some small example code which has the problem? Regards, Stephen Quinney On Mon Oct 02 18:52:05 2017, PERLMAX wrote: Show quoted text
> Hello, > > I noticed, that HTTP::Server::Simple::Static is vulnerable for Path > traversal attacks. I tested on my local machine the following path: > http://localhost:8080/files%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd > and could read my /etc/passwd :-( > > Best wishes, > Max
  Wed Oct 04 11:21:28 2017 The RT System itself - Status changed from 'new' to 'open'
  Wed Oct 04 11:21:28 2017 sjq-perl [...] jadevine.org.uk - Taken
  Wed Oct 04 13:11:36 2017 PERLMAX [...] cpan.org - Correspondence added
Hello, I use HTTP::Server::Simple::Static version 0.12 and HTTP::Server::Simple version 0.510.0 from Mageia Linux 6. My test script is easy: package MyServer; use base qw(HTTP::Server::Simple::CGI); use HTTP::Server::Simple::Static; my $webroot = '/home/maximilian/public_html/static/static'; sub handle_request { my ( $self, $cgi ) = @_; if ( !$self->serve_static( $cgi, $webroot ) ) { print "HTTP/1.0 404 Not found\r\n"; print $cgi->header, $cgi->start_html('Not found'), $cgi->h1('Not found'), $cgi->end_html; } } package main; my $server = MyServer->new(); $server->run(); The server runs under my personal account, which of course has the permission to read /etc/passwd... Best wishes, Max
  Wed Oct 04 13:32:58 2017 sjq-perl [...] jadevine.org.uk - Correspondence added
Thanks for the code, this is all very puzzling, I still cannot make it work for me. Attached is a proposed version 0.13 which does the path processing in a different way which should be safer. Regards, Stephen On Wed Oct 04 13:11:36 2017, PERLMAX wrote: Show quoted text
> Hello, > > I use HTTP::Server::Simple::Static version 0.12 and > HTTP::Server::Simple version 0.510.0 from Mageia Linux 6. > > My test script is easy: > > package MyServer; > > use base qw(HTTP::Server::Simple::CGI); > use HTTP::Server::Simple::Static; > > my $webroot = '/home/maximilian/public_html/static/static'; > > sub handle_request { > my ( $self, $cgi ) = @_; > > if ( !$self->serve_static( $cgi, $webroot ) ) { > print "HTTP/1.0 404 Not found\r\n"; > print $cgi->header, > $cgi->start_html('Not found'), > $cgi->h1('Not found'), > $cgi->end_html; > } > } > > package main; > > my $server = MyServer->new(); > $server->run(); > > The server runs under my personal account, which of course has the > permission to read /etc/passwd... > > Best wishes, > Max
Subject: HTTP-Server-Simple-Static-0.13.tar.gz
Download HTTP-Server-Simple-Static-0.13.tar.gz
application/gzip 6.3k

Message body not shown because it is not plain text.

  Wed Oct 04 14:23:02 2017 PERLMAX [...] cpan.org - Correspondence added
Dear Stephen, Thank you very much for your help. Unfortunately the problem still occurs. It is really curious. I did a little debugging and printed $realpath and $base. This is the output: REALPATH /home/maximilian/public_html/static/static/favicon.ico BASE /home/maximilian/public_html/static/static /home/maximilian/public_html/static/static/favicon.ico doesn't exist. And I requested for http://localhost:8080/files%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd, not /favicon.ico... Best wishes, Max
  Wed Oct 04 14:53:49 2017 sjq-perl [...] jadevine.org.uk - Correspondence added
A web browser may attempt to fetch the favicon.ico so that it can display the icon image for a page before requesting the actual page. Stephen On Wed Oct 04 14:23:02 2017, PERLMAX wrote: Show quoted text
> Dear Stephen, > Thank you very much for your help. Unfortunately the problem still > occurs. It is really curious. I did a little debugging and printed > $realpath and $base. This is the output: > > REALPATH /home/maximilian/public_html/static/static/favicon.ico > BASE /home/maximilian/public_html/static/static > > /home/maximilian/public_html/static/static/favicon.ico doesn't exist. > And I requested for > http://localhost:8080/files%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd, > not /favicon.ico... > > Best wishes, > Max
  Wed Oct 04 15:04:58 2017 sjq-perl [...] jadevine.org.uk - Correspondence added
I've tried to replicate your setup as closely as possible with a base directory of /home/stephen/public_html/static/static Making a request to http://localhost:8080/%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd gives: BASE /home/stephen/public_html/static/static REQUEST PATH //../../../../../../etc/passwd UNESCAPED PATH //../../../../../../etc/passwd FULLPATH /home/stephen/public_html/static/static/../../../../../../etc/passwd REALPATH /etc/passwd Note that this maps to a realpath of /etc/passwd but it then goes on to return a "Not Found" to the browser for me. Stephen On Wed Oct 04 14:23:02 2017, PERLMAX wrote: Show quoted text
> Dear Stephen, > Thank you very much for your help. Unfortunately the problem still > occurs. It is really curious. I did a little debugging and printed > $realpath and $base. This is the output: > > REALPATH /home/maximilian/public_html/static/static/favicon.ico > BASE /home/maximilian/public_html/static/static > > /home/maximilian/public_html/static/static/favicon.ico doesn't exist. > And I requested for > http://localhost:8080/files%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd, > not /favicon.ico... > > Best wishes, > Max
  Wed Oct 04 17:28:09 2017 PERLMAX [...] cpan.org - Correspondence added
Dear Stephen, oh, sorry, version 0.13 does work for me, too! I forgot to delete the cache of my browser, so that the old /etc/passwd was delivered even after the update of HTTP::Server::Simple::Static! In 0.13 I get "Not found", too. But 0.12 still is broken for me, so that your offered patch is important for me. Sorry for giving a false feedback... Thanks for your fast help, Max
  Thu Oct 05 05:43:01 2017 sjq-perl [...] jadevine.org.uk - Correspondence added
That's good news, thanks for testing the new version, I will aim to get that shipped out fairly soon. Stephen On Wed Oct 04 17:28:09 2017, PERLMAX wrote: Show quoted text
> Dear Stephen, > > oh, sorry, version 0.13 does work for me, too! I forgot to delete the > cache of my browser, so that the old /etc/passwd was delivered even > after the update of HTTP::Server::Simple::Static! > > In 0.13 I get "Not found", too. But 0.12 still is broken for me, so > that your offered patch is important for me. > > Sorry for giving a false feedback... > > Thanks for your fast help, > Max