http Server Read Access

Impact

The web server allows remote users to read arbitrary files on the system. If the password or shadow file can be read, the attacker could crack account passwords and gain access to the system.

Background

Web servers normally service requests for files under their document root directory. For example, if server has its root directory in /var/www/htdocs, and it receives a request for http://server/page.html, it sends the file /var/www/htdocs/page.html back to the client.

The Problem

Operating systems allow path names to refer to a parent directory using the "../" string. An attacker could attempt to exploit this feature to retrieve files from directories outside of the document root directory. Web servers normally remove the "../" strings from URLs. However an attacker can trick the web server into accepting a "../" by encoding the dots into their hexadecimal ASCII representation. Thus a pathname including one or more instances of the string "%2E%2E/" could be used to retrieve arbitrary files from the server.

Resolutions

Contact the vendor of the web server for a fix. If a fix is unavailable, it would be advisable to choose a different web server.

Where can I read more about this?

For an example of this vulnerability, see Bugtraq and CORE-SDI.