Westpoint Security Advisory

Title:		GoAhead Web Server Directory Traversal + Cross Site Scripting		
Risk Rating: 	Medium
Software: 	GoAhead Web Server v2.1	
Platforms: 	Windows NT/98/95/CE				
		Embedded Linux
		Linux
		QNX
		Novell Netware + others

Vendor URL: 	www.goahead.com/webserver/webserver.htm
Author:		Matt Moore <matt@westpoint.ltd.uk>
Date:		10th July 2002
Advisory ID#:	wp-02-0001 

Overview: 
=========
GoAhead is an open source 'embedded' web server. Apparently used in various
networking devices from several blue chip companies. 

(http://www.goahead.com/webserver/customers.htm)

Details: 
========

Cross Site Scripting via 404 messages.
--------------------------------------

GoAhead quotes back the requested URL when responding with a 404. Hence it
is possible to perform cross-site scripting attacks, e.g:

GoAhead-server/SCRIPTalert(document.domain)/SCRIPT

Read arbitrary files from the server running GoAhead(Directory Traversal)
-------------------------------------------------------------------------

GoAhead is vulnerable to a directory traversal bug. A request such as 

GoAhead-server/..%5C..%5C..%5C..%5C..%5C..%5C/winnt/win.ini

returns the contents of the win.ini file.

Note that the backslashes do not necessarily have to be URLEncoded.

Vendor Response:
================
I was unable to obtain any response from GoAhead technical support regarding
the identified issues.

Patch Information:
==================
No vendor response, so unsure if fixed version available.

Security History:
=================

http://www.securiteam.com/securitynews/5QP010U3FS.html - Directory Traversal
http://www.securiteam.com/securitynews/5IP0E2K41I.html - Denial of Service
http://www.securiteam.com/windowsntfocus/5LP040A3RS.html - Denial of Service

This advisory is available online at:

http://www.westpoint.ltd.uk/advisories/wp-02-0001.txt

			
Designed & Built by e3creative