#######################################################################

                             Luigi Auriemma

Application:  NULLhttpd
              http://nullhttpd.sourceforge.net/httpd/
Versions:     <= 0.5.1
Platforms:    All supported (Win & Unix)
Bug:          Cross site scripting
Date:         24 Sep 2003
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


"Null httpd is a very small, simple and multithreaded web server for
Linux and Windows."
However, as said by the author Dan Cahill, this server has not been
developed for production servers or for quality and security.


#######################################################################

======
2) Bug
======


That's not the first time that a XSS (cross site scripting) bug is
found in NULLhttpd, in fact this bug was already fixed in the 0.5.1
version released one year ago, but unfortunately some "problems" in the
code let this bug to be replicated (also if it already existed in
previouses versions)

The problem in fact is that a too long HTTP request overwrites some
string of data in memory (however I have not debugged it so there are
no details about) and the effect is the bypass of the check made by
NULLhttpd to avoid XSS and a returned 400 (Bad Request) error page with
the XSS code.


Example:

http://server/ [1799 bytes] [243 bytes]
               |            |
               |            here starts the XSS code that can be max
               |            243 bytes big
               chars needed to avoid the XSS check


Answer from NULLhttpd:

----
HTTP/1.0 200 OK
Cache-Control: no-store
Connection: Close
Content-Length: 472
Date: Tue, 23 Sep 2003 11:39:30 GMT
Expires: Tue, 23 Sep 2003 11:39:30 GMT
Last-Modified: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaano-cache
Pragma: no-cache
Server: Null httpd 0.5.1
Content-Type: text/html

<script>alert('hello');</script>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx<HTML><HEAD><TITLE>400 Bad Request</TITLE></HEAD>
<BODY BGCOLOR=#F0F0F0 TEXT=#000000 LINK=#0000FF ALINK=#0000FF VLINK=#0000FF>
<H1>400 Bad Request</H1>
Can't Parse Request.
<HR>
<ADDRESS>Null httpd 0.5.1</ADDRESS>
</BODY></HTML>
----


#######################################################################


===========
3) The Code
===========


Exploiting the problem is too simple, however I have released an html
file with a link (I have used 127.0.0.1 as server so modify it) that
does the work:

http://aluigi.org/poc/nullhttpd051-xss.htm


#######################################################################

======
4) Fix
======


No fix.
The author was notified over 10 days ago but I have not yet received a
response.


#######################################################################