Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:5158
HistorySep 25, 2003 - 12:00 a.m.

NULLhttpd <= 0.5.1 XSS through Bad request

2003-09-2500:00:00
vulners.com
14

#######################################################################

                         Luigi Auriemma

Application: NULLhttpd
http://nullhttpd.sourceforge.net/httpd/
Versions: <= 0.5.1
Platforms: All supported (Win & Unix)
Bug: Cross site scripting
Risk: Low
Author: Luigi Auriemma
e-mail: [email protected]
web: http://aluigi.altervista.org

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction

"Null httpd is a very small, simple and multithreaded web server for
Linux and Windows."
However, as said by the author Dan Cahill, this server has not been
developed for production servers or for quality and security.

#######################################################################

======
2) Bug

That's not the first time that a XSS (cross site scripting) bug is
found in NULLhttpd, in fact this bug was already fixed in the 0.5.1
version released one year ago, but unfortunally some "problems" in the
code let this bug to be replicated (also if it already existed in
previouses versions)

The problem in fact is that a too long HTTP request overwrites some
string of data in memory (however I have not debugged it so there are
no details about) and the effect is the bypass of the check made by
NULLhttpd to avoid XSS and a returned 400 (Bad Request) error page with
the XSS code.

Example:

http://server/ [1799 bytes] [243 bytes]
| |
| here starts the XSS code that can be max
| 243 bytes big
chars needed to avoid the XSS check

Answer from NULLhttpd:


HTTP/1.0 200 OK
Cache-Control: no-store
Connection: Close
Content-Length: 472
Date: Tue, 23 Sep 2003 11:39:30 GMT
Expires: Tue, 23 Sep 2003 11:39:30 GMT
Last-Modified:
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaano-cache
Pragma: no-cache
Server: Null httpd 0.5.1
Content-Type: text/html

<script>alert('hello');</script>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxx<HTML><HEAD><TITLE>400 Bad Request</TITLE></HEAD>
<BODY BGCOLOR=#F0F0F0 TEXT=#000000 LINK=#0000FF ALINK=#0000FF VLINK=#0000FF>
<H1>400 Bad Request</H1>
Can't Parse Request.
<HR>
<ADDRESS>Null httpd 0.5.1</ADDRESS>
</BODY></HTML>

#######################################################################

===========
3) The Code

Exploiting the problem is too simple, however I have released an html
file with a link (I have used 127.0.0.1 as server so modify it) that
does the work:

http://aluigi.altervista.org/nullhttpd051-xss.htm

#######################################################################

======
4) Fix

No fix.
The author has been contacted over 10 days ago but I have not received
an answer until now.

#######################################################################


Luigi Auriemma
http://aluigi.altervista.org