Hello Bugtraq, This is Doug Hoyte, head programmer of the Anti-Web project. I'm responding to an "advisory" put out recently by the "GOBBLES research group". I was not contacted by this "researcher". I'm an occassional reader of bugtraq, but I missed this particular message. I wouldn't have found out at all if I wasn't E-Mailed by Stuart Moore of www.securitytracker.com (which is an excellent security website, by the way.) Stuart said to me that he was unable to validate GOBBLES' claims. Thank you for notifying me Stuart. Since early versions of Anti-Web, I've been aware of GET request attacks using '..', '~', etc, and have programmed security into Anti-Web as such. As you can imagine, I was very suprised by this "advisory". I checked to make sure it was a recent version GOBBLES was testing. It was. After reading GOBBLES' message through, I realized that his testing procedure was completely flawed. I'm not intimatley familiar with lynx, but I realized that something strange was going on here. I decided to disprove GOBBLES' technique. The ps and netstat commands show that awhttpd is NOT running on this system. Next, I run the same command procedure that GOBBLES ran in his advisory. /home/doug/tp2@orion$ uname -a OpenBSD orion 2.9 DOUGS#0 i386 /home/doug/tp2@orion$ ps -aux | grep awhttpd /home/doug/tp2@orion$ netstat -an | grep 2000 /home/doug/tp2@orion$ lynx -dump localhost:2000/../ >GOBBLES /home/doug/tp2@orion$ cat GOBBLES Current directory is /home/doug/tp2/ -rw-r--r-- 1 doug doug 0 Dec 1 20:51 [1]GOBBLES -rw-r--r-- 1 doug doug 37287 Dec 1 20:34 [2]awhttpd-2.1.tgz drwxr-xr-x 3 doug doug 512 Dec 1 20:35 [3]awhttpd/ -rw-r--r-- 1 doug doug 928 Dec 1 20:50 [4]gobblesreply.txt References 1. file://localhost/home/doug/tp2/GOBBLES 2. file://localhost/home/doug/tp2/awhttpd-2.1.tgz 3. file://localhost/home/doug/tp2/awhttpd 4. file://localhost/home/doug/tp2/gobblesreply.txt /home/doug/tp2@orion$ Obviously, lynx isn't going through the webserver to get this information. Honestly, I don't see how GOBBLES could have thought he discovered a security hole in here. Note in the references it says "file://" instead of "http://". That should have been his first clue. Although this proves nothing about AW's security (as it proves nothing about holes in AW), you can quickly and easily verify the hole by trying GOBBLES' "exploit" on an AW box (as GOBBLES himself didn't do, obviously). For instance, if AW is running in /var/webpage (as mine is), try sending netscape to http://the.box.com/../../etc/passwd You'll see a 404 Not Found. After verifying this myself, I feel confident to release this "vendor" response: (Damn I sound professional :) ) The GOBBLES advisory is a false alarm. This vulnerability doesn't exist in Anti-Web, and hasn't existed since at least 2.0, and possibly earlier versions. Next, I'd like to clear my name a little bit. GOBBLES' words were harsh, and as is now confirmed, completely unfounded. GOBBLES mentioned that it was a bit hypocritical of me not to run AW on my own webserver. This seems to be yet another prime example of GOBBLES' incompetence. If he had investigated his claim even slightly, he would have seen that the AW URL (hardcoresoftware.cjb.net/awhttpd/) is a URL forwarder to my own machine (pulsar.sytes.net) which is running AW 2.2 on OpenBSD 2.9. cjb.net isn't running AW, so I can see how he could have gotten confused, but that really is no excuse. Proof? Cruise to pulsar.sytes.net in lynx and hit '='. Why don't I just buy my own DNS name? I'm a poor canadian college student with no credit card, so I must rely on free DNS entries (no-ip.com) and URL forwarders (cjb.net). Thank you to those services, by the way. As for my "mocking" of more popular webservers, I realize that perhaps some of what I say in the README could be taken the wrong way. All I'm saying is that in more commonly used webservers, there tends to be a lot of feature bloat which, as most bugtraq readers should recognize, often results in security flaws. Anti-Web is a smaller, more simple server than most of the others out there. Don't get me wrong again, I have an incredible amount of respect for the apache, thttpd, and IIS programmers. They've got features in their servers that I could only wish for, but sometimes a more light-weight solution is in order. Anyways, this shameless smear campaign that GOBBLES is running is completely uncalled for and, I must say, a seemingly common symptom on full disclosure lists. We should all take a lesson from Stuart Moore, who actually tested this "exploit" before putting it on his website. The security community needs more rational, intelligent minds like this, and less self indulgent halfwits like GOBBLES trying vainly to make names for themselves. GOBBLES, please try to put yourself into the shoes of an open source programmer. I love my code and I'm proud of my code. As such, I have no problem sharing the code under the GPL. I'm genuinely happy when people use it and stress test it for vulnerabilities. All I ask is that you at least notify me before you ruin my reputation, and for god's sake, confirm your fucking exploits! Doug Hoyte P.S. Anti-Web is up for download at http://hardcoresoftware.cjb.net/awhttpd/ Or, you could just search Freshmeat. Thanks go to Stuart Moore, the OpenBSD team, #disguise, #hackcanada