SecurityFocus BUGTRAQ Mailing List: BugTraqLink Number One Link Number One Link 
Number Two Link Number Two  Link Number One Link Number One Link Number Two Link 
Number Two   
                          Entire Site Advisories Calendar Columnists Elsewhere 
                          Guest Feature Infocus Library Links Mailing Lists 
                          (all) -- BUGTRAQ -- FOCUS-IDS -- FOCUS-IH -- 
                          FOCUS-LINUX -- FOCUS-MS -- FOCUS-SUN -- FOCUS-VIRUS -- 
                          FORENSICS -- INCIDENTS -- PEN-TEST -- SEC JOBS -- SF 
                          NEWS -- VULN-DEV News Products Services Tools Vulns








             
             




                         BUGTRAQ ARCHIVE 

                        [ Message Index ] [ Thread Index ][ Reply ]
                        [ prev Msg by Date ][ next Msg by Date ]


                              To: BugTraq
                              Subject: TCLHttpd Server - Multiple 
Vulnerabilities
                              Date: Sep 24 2003 1:22PM
                              Author: Phuong Nguyen <dphuong yahoo com>
                              Message-ID: 
                              <20030924132225.51073.qmail@web13402.mail.yahoo.com>


Released Date 09/23/2003

TITLE
=====
TCLHttpd 3.4.2 - Multiple Vulnerabilities

DESCRIPTION
===========
"TclHttpd is used both as a general-purpose Web
server, and as a framework for building server
applications. It implements Tcl (http://www.tcl.tk),
including the Tcl Resource Center and Scriptics'
electronic commerce facilities. It is also
built into several commercial applications such as
license servers and mail spam filters. Instructions
for setting up the TclHttpd on your platform are given
towards the end of the chapter, on page See The
TclHttpd Distribution. It works on Unix, Windows, and
Macintosh. You can have the server up and running
quickly."

More information at
http://www.tcl.tk/software/tclhttpd

PROBLEMS
========
Affected Version	: TCLHttpd 3.4.2 (latest) and
probably older builds
Tested Platform		: Linux(x86)

Mutiple flaws in TCLHttpd server which open door for
an attacker to browse any directories on the remote
host, and to inject 

malicious javascript/vbscript content to the user's
browser under the TCLHttpd server context (Cross Site
Scripting).

DETAILS
=======
[Vulnerability #1] Arbitrary Directory Browsing

When a user requests a directory on TCLHttpd server,
httpdthread.tcl will start to look for various default
index file names in that directory, if none can be
found then it will pass the operation to dirlist.tcl
script to do the "fancy" directory listing which
provides users the ability to sort files by modify
date, name, size or file's pattern. Dirlist.tcl script
does filter inputs from the users in order to prevent
directory traversal but it can be easily bypassed if
an absolute path was entered. Directory listing is
enabled by default.

For example: Requesting
http://abc.com/images/?pattern=/*&sort=name will
return you a list of directory under / 

[Vulnerability #2] Cross Site Scripting (XSS)

TCLHttpd web server comes with various modules in
order to increase the flexibility of the server, and
/debug module is enable by default which allows you to
download logging information, debug the Tcl part of
the application without restarting the hosting
application. Many modules are suffered from the
multiple Cross Site Scripting (XSS) vulnerabilities
that potentially enable a malicious user to "inject"
code into a user's session under TCLHttpd server
context. I'm going to use the /debug module as an
example.

http://www.abc.com/debug/echo?name=<script>alert('hello');</script>
http://www.abc.com/debug/dbg?host=<script>alert('hello');</script>
http://www.abc.com/debug/showproc?proc=<script>alert('hello');</script>
http://www.abc.com/debug/errorInfo?title=<script>alert('hello');</script>

WORK AROUND
===========
You can eliminate the threats from these
vulnerabilities by editing your httpdthread.tcl and
comment out the directory listing option, also you
should disable the following modules to prevent Cross
Site Scripting: Status, Debug, Mail and Admin.

Notes: Disabling some modules in your TCLhttpd
configuration might decrease the flexibility of your
server.

VENDOR STATUS
=============
Vendor has been notified.

Phuong Nguyen

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com






                  Want to link to this message? Use this URL: 
                  <http://www.securityfocus.com/archive/1/338859>
                  Disclaimer, Terms & Conditions


                  About this List


                  Featured Lists:

                  ARIS Users
                  bugtraq
                  bugtraq-es
                  bugtraq-french NEW
                  bugtraq-jp
                  firewalls
                  focus-ids
                  focus-ih
                  focus-linux
                  focus-ms
                  focus-sun
                  focus-unix-other
                  focus-virus
                  forensics
                  forensics-es
                  honeypots
                  incidents
                  libnet
                  pen-test
                  secevents
                  secpapers
                  secprog
                  sectools
                  secureshell
                  security-basics
                  security-management NEW
                  securityjobs
                  vpn
                  vuln-dev
                  webappsec

                  Newsletters:

                  sf-news
                  ms-secnews
                  linux-secnews


                  [ more . . . ]




                        Privacy Statement
                        Copyright © 1999-2003 SecurityFocus