rejetto forum

Software => HFS ~ HTTP File Server => Bug reports => Topic started by: PC on January 15, 2009, 03:41:15 PM

Title: [SOLVED] BIG SECURITY HOLE (?!) - HFS allows to remotely browse your hard disk!
Post by: PC on January 15, 2009, 03:41:15 PM
1) Start HFS
2) Turn on server
3) Drag to HFS folder from somewhere (eg. somenhing from Desktop)
4) Answer that you want Real Folder
5) Go from browser to HFS main site
6) Go inside shared folder (eg. localhost/TEST/)
7) Add "..." to URL (eg localhost/TEST/...)
8) Type "Enter"...

9) You will see content of folder one lecel upper !!!
10 ) In this way (wifh sharer folder from Desktop as "Real") you can freely browse all "Doccuments and Settings" and etc....

Can somebody fix it?  :o

Regards
PC
Title: Re: BIG SECURITY HOLE (?!) - HFS allows to remotely browse your hard disk!
Post by: Mars on January 15, 2009, 05:47:35 PM
Before post a bug, you have to clarify which version of hfs you use and possibly the type of operating system.

Did you think of making a test with the template by default?

A test on the build 217 raised no problem. I have do what you say exactly, but nothing ???
Title: Re: BIG SECURITY HOLE (?!) - HFS allows to remotely browse your hard disk!
Post by: MarkV on January 15, 2009, 06:12:13 PM
Getting: HTTP 404 - Not Found

build #218, RAWR template 0.1.1
Title: Re: BIG SECURITY HOLE (?!) - HFS allows to remotely browse your hard disk!
Post by: Pit on January 15, 2009, 06:54:24 PM
I get also an 404 http error (Not found)

Build 218 light modified default template
Title: Re: BIG SECURITY HOLE (?!) - HFS allows to remotely browse your hard disk!
Post by: PC on January 15, 2009, 07:12:06 PM
Checked - problem exists on:

a) all older Windows versions (9x)
b) all templates
c) HFS 2.0 / 2.2e / 2.3 beta 318
Title: Re: BIG SECURITY HOLE (?!) - HFS allows to remotely browse your hard disk!
Post by: maverick on January 15, 2009, 08:08:11 PM
Checked - problem exists on:

a) all older Windows versions (9x)
b) all templates
c) HFS 2.0 / 2.2e / 2.3 beta 318

You say all Windows versions (9x)
Did you personally try it on Windows 95, Windows 98, Windows 98SE etc.?  I doubt many would be using those old o/s's anymore (maybe Win98SE is still used by a few).

You say all templates.  Can you be more specific and let us know which ones you are talking about?

When you are making a security claim like you have done, please make sure you give us all of the information so we can check it out to see if it is reproduceable.
Title: Re: BIG SECURITY HOLE (?!) - HFS allows to remotely browse your hard disk!
Post by: Mars on January 15, 2009, 08:51:32 PM
Information or propaganda?

Quote
Insert Quote
Checked - problem exists on:

a) all older Windows versions (9x)
b) all templates
c) HFS 2.0 / 2.2e / 2.3 beta 318

Quite as maverick, I ask me the question

But as it is never known, the case not it is never presented, it would be necessary to put to us a weblink to tour hfs server so that we noticed by us even

You can send me the link by private message to limit the risks, at the need (you must be registered on the forum)
Title: Re: BIG SECURITY HOLE (?!) - HFS allows to remotely browse your hard disk!
Post by: rejetto on January 15, 2009, 11:51:21 PM
a) all older Windows versions (9x)
b) all templates
c) HFS 2.0 / 2.2e / 2.3 beta 318

i tested with both 2.2e and 2.3 on Windows XP, and it gives me "not found" as to others.
I can't test Win9x. Can someone?

Anyway, it's sounds strange, since it should not depend on Windows: the test to prevent ".." is made by HFS itself.
Title: Re: BIG SECURITY HOLE (?!) - HFS allows to remotely browse your hard disk!
Post by: rejetto on January 16, 2009, 02:44:41 PM
Thanks for testing on win98.
I fear this report is a fake.
I will wait a couple of days, then i'll delete it to avoid people thinking it's true.
You know i rarely delete on the forum, but this may be misinformation.
Title: Re: BIG SECURITY HOLE (?!) - HFS allows to remotely browse your hard disk!
Post by: MarkV on January 16, 2009, 03:21:20 PM
This is no fake. Just tested on Win95C, and it is real. Latest beta, default template. Browser is SeaMonkey 1.1.4.

1. Created directory 'test' on my desktop.
2. Dragged in HFS. (root is bound to 'C:\Download')
3. Chose 'Real folder'
4. Opened the root in browser. (http://localhost)
5. Browsed into directory 'test' (http://localhost/test/)
6. Added the three dots to the address (http://localhost/test/...)
7. Now I could see the contents of my 'C:\Windows' directory, it's the parent of 'C:\Windows\Desktop' (http://localhost/test/.../)
8. Scratched my head...  :-\

(http://img405.imageshack.us/img405/782/errxc5.th.jpg) (http://img405.imageshack.us/my.php?image=errxc5.jpg)

The same thing under Vista does not seem to work.


Edit: Win98SE same problem...
Title: Re: BIG SECURITY HOLE (?!) - HFS allows to remotely browse your hard disk!
Post by: r][m on January 16, 2009, 05:17:00 PM
Mark V
Many Thanks, I stand corrected. (removed prev post)
I find it happens with 192.168.1.xx lan address and the folder
doesn't have to be named test. My 2nd screen shot is real disturbing.
It brought up my HFS directory, which is not in the VFS? Complete with
remote css formating.

But... I find that it doesn't seem this works with folders that already exist?
If the properties are flags are changed, results get unpredictable.
I may shut down completely untill this is resolved!
Title: Re: BIG SECURITY HOLE (?!) - HFS allows to remotely browse your hard disk!
Post by: MarkV on January 16, 2009, 05:29:59 PM
Three possible theories:
1) It is a 9x problem.
2) It is a problem with FAT32.
3) It is a problem with MS-DOS, all 9x-kernel OS are still based on it.

Unfortunately I have not NT based Windows with FAT32 (Though I think I could set up one quickly).

If you open the command line ('DOS', COMMAND.COM), and type cd ... in a 9x-kernel OS, you go up 2 directories.
The very same command does not work in NT-kernel OS, where DOS is only a virtual machine (NTVDM, CMD.EXE)
Title: Re: BIG SECURITY HOLE (?!) - HFS allows to remotely browse your hard disk!
Post by: r][m on January 16, 2009, 06:42:14 PM
It seems that a folder named Test added to the vfs from the directory HFS is
in did not do this, but I can't say it only occurs from the desktop.
Since I'd never create a folder on the desktop to use in vfs, I'll consider this
as not to serious, yet. I'll test my existing file structure a bit more though.
Saving vfs and options, hiding or stopping/restarting HFS didn't stop this behavior.

On win 98se, using 218 and my HFS is on "E" not C

Uh, Oh - Just found a MAJOR problem.
Haven't been able to stop this one yet?  :-\
We need to try this from out on the net, not just local.
Edit:
Rejetto - sent you a PM about this !!
Title: Re: BIG SECURITY HOLE (?!) - HFS allows to remotely browse your hard disk!
Post by: MarkV on January 16, 2009, 07:52:28 PM
Number 2 is negative. Windows 2000 Pro and FAT32 - no problem.
Title: Re: BIG SECURITY HOLE (?!) - HFS allows to remotely browse your hard disk!
Post by: r][m on January 16, 2009, 08:03:27 PM
Mark V
I'll try to PM you before I leave for work
Title: Re: BIG SECURITY HOLE (?!) - HFS allows to remotely browse your hard disk!
Post by: MarkV on January 16, 2009, 09:55:29 PM
The error occours everywhere. '...' means 'go up 2 directories', maybe rejetto did cover only '..' ?
So if you share a directory directly below HFS, the bug allows you to go to the parent directory of HFS (Program files?) and from there to all directories and files of this directory, including HFS itself. This is serious.

If the directory shared is only 1 or 2 levels deep, no bug. Starts to appear from 3. level and below
Title: Re: BIG SECURITY HOLE (?!) - HFS allows to remotely browse your hard disk!
Post by: Metaltailz on January 16, 2009, 10:20:32 PM
Tested in Windows XP pro, confirmed negative.
Next monday I will test it on a Windows NT system. (Don't have access to it on the weekend)
Title: Re: BIG SECURITY HOLE (?!) - HFS allows to remotely browse your hard disk!
Post by: Mars on January 16, 2009, 10:35:49 PM
Somebody can make the same test under Windows 9x by using \.... (with 4 points instead of 3) and report result, please ;)

Title: Re: BIG SECURITY HOLE (?!) - HFS allows to remotely browse your hard disk!
Post by: Guest on January 16, 2009, 11:20:58 PM
Remote test from work - /.../ gives problem.
1, 2, or 4 do not.

r][m
Title: Re: BIG SECURITY HOLE (?!) - HFS allows to remotely browse your hard disk!
Post by: Mars on January 17, 2009, 12:00:44 AM
Thanks R][M 

Here we are, I recompiled the sources of rejetto (safely) with a small modification for the bug of the 9x, please test this version and make a report

somewhere in main .pas
Quote
        // we don't list these entries
        if (sr.name = '.') or (sr.name = '..') or (sr.name = '...')      //mod by mars bug 9x
.....
    // no directory crossing
    if ansiContainsStr(s, '\..\') or ansiEndsStr('\..', s) then exit;
    if ansiContainsStr(s, '\...\') or ansiEndsStr('\...', s) then exit;  //add by mars bug 9x
 

The build 219 arrived, I thus remove the zip attached to this post.


Small message for rejetto, the file zip will be deleted as soon as you will have corrected the problem in the next build.
Title: Re: BIG SECURITY HOLE (?!) - HFS allows to remotely browse your hard disk!
Post by: r][m on January 17, 2009, 06:08:06 AM
Mars
Your fix worked on win98se.
/../ returns to root, but 1, 3, & 4 return my HFS  404 - Not Found page.

Many thanks!
Title: Re: BIG SECURITY HOLE (?!) - HFS allows to remotely browse your hard disk!
Post by: rejetto on January 17, 2009, 01:31:19 PM
the problem is exactly that: win9X supports 3 and 4 dots.
http://www.iss.net/security_center/advice/Intrusions/2000617/default.htm
I knew this, but i thought it was translated by the shell, not by the kernel itself. Thanks Microsoft.

i don't know about more points, but i made a quick test and creating a file with name "....." (5) is not allowed, so there's no point in allowing any name containing only dots.
i will soon publish an official fix.

sorry PC for the early suspects
Title: Re: BIG SECURITY HOLE (?!) - HFS allows to remotely browse your hard disk!
Post by: rejetto on January 17, 2009, 01:46:15 PM
fixed in 2.3 build #219.
soon i will publish a fixed version of 2.2
Title: Re: BIG SECURITY HOLE (?!) - HFS allows to remotely browse your hard disk!
Post by: MarkV on January 17, 2009, 03:41:41 PM
There's nothing like a good community. This bug is history now...  ;D
Title: Re: BIG SECURITY HOLE (?!) - HFS allows to remotely browse your hard disk!
Post by: PC on January 18, 2009, 02:34:08 PM
Great thanx for interest from all of you...  ;D
Sorry but i didn't have time to look at forum last week (exams & etc...)

I use HFS for some years & i didn't have big problems :P
Everything started, when i shared a folder to a friend and he was doing something... and typed "..." at wrong window :P
I was a bit shocked, when he asked me if I share all my Desktop... (I use Win Me sometimes to test & compile programs).

Hmm... the cause was crazy :P
Thanks for fixing!  :) :) :)