####################################################################### Luigi Auriemma Application: Abyss webserver http://www.aprelium.com Versions: minors than 1.2 Platforms: Linux version only Bug: Bypassing of password protected folders authorization on FAT32 filesystems (but rarely users use Linux to run a webserver on a FAT32 partition) Exploitation: remote through browser Date: 08 Dec 2003 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Abyss webserver is a nice and tiny free closed-source web server developed for Win32, Linux x86, MacOS and FreeBSD platforms. ####################################################################### ====== 2) Bug ====== The bug is a protection bypassing but it happens only on Linux when the protected folder is on a FAT32 system. Probably is a bit unusual that someone uses a webserver for Linux to share a FAT32 directory but Abyss is very useful for fast configurations and for personal usages so this is not a rare case (... in fact I have found this bug just because I was sharing a FAT32 dir...). Practically if the admin runs Abyss webserver on Linux and has a FAT32 directory protected by password an attacker can bypass the authorization simply adding a dot or an HTTP encoded dot (%2e) at the end of the URL. The developers have reported that also the chars space (' ', %20) and ':' (%3a) cause the same problem (but on my system they cause only a right 404 error). ####################################################################### =========== 3) The Code =========== http://linux_server/protected_FAT32_dir. http://linux_server/protected_FAT32_dir./ http://linux_server/protected_FAT32_dir%2e ####################################################################### ====== 4) Fix ====== Version 1.2 released the 3th Dec 2003 #######################################################################