Security Vulnerabilities CVE-2008-0337
Closed this issue · 8 comments
The original version of miniweb has 2 severe security vulnerabilities
directory traversals and heap based buffer overflow
Thanks, I can confirm the first issue, and didn't yet test the second, however, it seems I can't access the domain where the pdf is. Would you mind attaching the PDF (English version) here or copying it to another place where I might have better luck accessing it?
I find this file in wayback machine archive
https://web.archive.org/web/20090206102551/http://www.bugtraq.ir/adv/miniweb_english.pdf
Thanks.
If you can fix these vulnerabilities, this is definitely the best one
The author of miniweb seems not to maintain this project anymore
Thanks. The code is written in such a way which makes it easy to miss such issues. Nevertheless, I'll try to address at least the mentioned ones.
FYI, there are several buffer-overflow vulnerabilities too
https://www.exploit-db.com/exploits/32923/
https://www.exploit-db.com/exploits/25418/
Did you actually test that they still exist? because as far as I can tell, they don't exist anymore. Do correct me if I'm wrong.
The first is from 2009 of request path > ~120 bytes, which is apparently caught correctly and as far as I can tell was fixed before I started adding commits, and the second uses POST which I disabled more than a year ago (and is rejected gracefully).
Is from 2008 and mentions two issues:
- Buffer overflow for request path of ~3800 chars - as far as I can tell fixed before I started adding commits.
- Directory traversal outside of the web-root.
The directory traversal issue is also https://www.exploit-db.com/exploits/5212/ and https://www.exploit-db.com/exploits/3708/ , and as far as I can tell the only issue which still exists today (fixed locally already, with some additional fixes).
This is not to say that it's safe to use when facing the web. It's not, and the code is such that it's easy to make mistakes. Most of the code was written by the original author, which has abandoned the project. I did fixed few issues (and maybe introduced few as well) and added some nicer directory listing, but I don't intend to work on it actively and make it a production grade server. This would require a way more time, attention and work than some minor random fixes.
You should take it for what it is: a hobby project which is mostly OK for serving some files over LAN, but which should never be used outside of controlled environments. It's not that kind of server, and I don't intend to make it such.
That being said, I will soon push the patches which fix directory traversal issue, along with few other related fixes.
Hello!
I know its been 2 years since the last comment. But I was wondering if a fix for these exploits could be applied to the codebase?
I am trying to make the ultimate fork of miniweb fusing all the forks improvements together just because I have too much free time at hand.
Note: I am not a C dev, Im just having fun with one of the smallest web servers out there 😄
I pushed the additional commits I had locally. As far as I can tell they handle the last remaining issue - https://www.exploit-db.com/raw/4923/ .
However, this project is not maintained, and should not be considered secure regardless. A note was added to the readme.