Project

General

Profile

Bug #1335

source disclosure vulnerability on win32 with ntfs alternate data streams

Added by wlmp over 12 years ago. Updated over 11 years ago.

Status:
Invalid
Priority:
Urgent
Assignee:
-
Category:
core
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Missing in 1.5.x:

Description

We received the following post on the WLMP Project (http://wlmp.dtech.hu) forum:

To whom it may concern,[BR]

I am not sure whether or not the Win32 build of Lighttpd is officially supported,[BR]
but I would like to report a security vulnerability specific to this specific release.

The vulnerability is due to an NTFS-specific feature, called an ADS stream. Using this feature, it is possible to retrieve the source code of a file stream that would normally be interpreted by e.g. PHP using the ":$DATA". (I believe IIS and/or Apache had similar vulnerabilities; Apache on Win32 completely forbids the ":" character in URLs now.)

Example:

You can retrieve the source code of http://wlmp.dtech.hu/index.php by using the URL http://wlmp.dtech.hu/index.php::$DATA

I'm not sure whether there are additional parameters similar to ":$DATA", but I think it's safe to say that ADS streams should be ignored/disallowed completely. The feature isn't very well documented and not very commonly used.

More information about NTFS/ADS can be found at http://en.wikipedia.org/wiki/NTFS

Regards,[BR]
Ben de Graaff

We can confirm the existence of this vulnerability.

Proposed solution in src/request.c

Replace


int request_uri_is_valid_char(unsigned char c) {
    if (c <= 32) return 0;
    if (c == 127) return 0;
    if (c == 255) return 0;

    return 1;
}

with


int request_uri_is_valid_char(unsigned char c) {
    if (c <= 32) return 0;
    if (c == 58) return 0; // 58 is the ASCII code for ':'
    if (c == 127) return 0;
    if (c == 255) return 0;

    return 1;
}
#1

Updated by darix over 12 years ago

veto. the ":" is a valid char in uris. and we use that extensively on one of our services.

the real fix would be to check for ":" in the filename part of the uri.
and this restriction should be only applied to window. imho

#2

Updated by ralf over 12 years ago

some hints/urls while iam locking for a useful fix:

URLs

Hints

There are not only "::$Data" streams, it is possible to create userdefined streams.

A example of a other (default) stream is: http://domain.tld/index.php:VersionInfo:$Data

While playing a bit, atm. i found no way to determine if a file is a stream (without parsing the string against a ":" character).

I play with:

  • {{{ GetFileAttributesEx() }}}
  • {{{ GetFileInformationByHandle() }}}
  • {{{ GetFileType() }}}
#3

Updated by ralf over 12 years ago

#4

Updated by stbuehler over 11 years ago

  • Status changed from New to Fixed
  • Resolution set to invalid

I don't think it is the webserver responsibility to check for every filesystem in the world whether it has some stupid way to access the content with another name. It is bad enough with case insensitive filesystems.

If you have a problem with ':', just do


$HTTP["url"] =~ ":" {
    url.access-deny = ( "" )
}
#5

Updated by stbuehler over 11 years ago

  • Status changed from Fixed to Invalid

Also available in: Atom