Lighttpd

We received the following post on the WLMP Project (http://wlmp.dtech.hu) forum:

To whom it may concern,[BR]

I am not sure whether or not the Win32 build of Lighttpd is officially supported,[BR]
but I would like to report a security vulnerability specific to this specific release.

The vulnerability is due to an NTFS-specific feature, called an ADS stream. Using this feature, it is possible to retrieve the source code of a file stream that would normally be interpreted by e.g. PHP using the ":$DATA". (I believe IIS and/or Apache had similar vulnerabilities; Apache on Win32 completely forbids the ":" character in URLs now.)

Example:

You can retrieve the source code of http://wlmp.dtech.hu/index.php by using the URL http://wlmp.dtech.hu/index.php::$DATA

I'm not sure whether there are additional parameters similar to ":$DATA", but I think it's safe to say that ADS streams should be ignored/disallowed completely. The feature isn't very well documented and not very commonly used.

More information about NTFS/ADS can be found at http://en.wikipedia.org/wiki/NTFS

Regards,[BR]
Ben de Graaff

We can confirm the existence of this vulnerability.

Proposed solution in src/request.c

Replace

int request_uri_is_valid_char(unsigned char c) {
    if (c <= 32) return 0;
    if (c == 127) return 0;
    if (c == 255) return 0;

    return 1;
}

with

int request_uri_is_valid_char(unsigned char c) {
    if (c <= 32) return 0;
    if (c == 58) return 0; // 58 is the ASCII code for ':'
    if (c == 127) return 0;
    if (c == 255) return 0;

    return 1;
}