RESOURCES
TCLHttpd - Multiple Vulnerabilities

DESCRIPTION

"TclHttpd is used both as a general-purpose Web server, and as a framework for building server applications. It implements Tcl (http://www.tcl.tk), including the Tcl Resource Center and Scriptics' electronic commerce facilities. It works on Unix, Windows, and Macintosh. You can have the server up and running quickly."

More information at http://www.tcl.tk/software/tclhttpd

SUMMARY

PRODUCT TclHttpd
VENDOR Tcl Developer Xchange
AFFECTED VERSIONS TCLHttpd <3.4.2< /td>
SEVERITY
IDENTIFIER N/A
TESTED PLATFORM Tested Platform: Linux(x86)

Mutiple flaws in TCLHttpd server open door for an attacker to browse any directories on the remote host and to inject malicious javascript/vbscript content to the user's browser under the TCLHttpd server context (Cross Site Scripting).

IMPACT

Arbitrary Directory Browsing.

Inject malicious code.

DETAILS

[Vulnerability #1] Arbitrary Directory Browsing

When a user requests a directory on the TCLHttpd server, the script httpdthread.tcl will start to look for various default index files in that directory. If none can be found then it will pass the operation to the dirlist.tcl script to do the "fancy" directory listing, which provides users the ability to sort files by modify date, name, size or file's pattern. The dirlist.tcl script does filter inputs from the users in an attempt to prevent directory traversal but it can be easily bypassed if an absolute path is used instead. Directory listing is enabled by default.

For example:

Requesting http://abc.com/images/?pattern=/*&sort=name will return you a list of directory under /.

Cross Site Scripting (XSS)

The TCLHttpd web server comes with various modules to increase the flexibility of the server. The/debug modules, which are enabled by default, allows one to download logging information, debug the tcl part of the application without restarting the hosting application. Many of the modules are found to be vulnerable to the infamous Cross Site Scripting (XSS) vulnerability that potentially enables a malicious user to "inject" code into a user's session under TCLHttpd server context.

PROOF OF CONCEPT

[Vulnerability #1] Arbitrary Directory Browsing

Requesting http://abc.com/images/?pattern=/*&sort=name will return you a list of directory under /.

Cross Site Scripting (XSS)

For example:

http://www.abc.com/debug/echo?name=<script>alert('hello');</script>
http://www.abc.com/debug/dbg?host=<script>alert('hello');</script>
http://www.abc.com/debug/showproc?proc=<script>alert('hello');</script>
http://www.abc.com/debug/errorInfo?title=<script>alert('hello');</script>

VENDOR STATUS

Vendor has been notified and patch is also available here: http://www.tcl.tk/software/tclhttpd

CREDIT

Phuong Nguyen

DISCLOSURE TIMELINE

N/A

APPENDIX

N/A

REFERENCES

N/A

We use cookies

This website uses cookies to ensure you get the best experience on our website. By continuing to browse the site, you agree to our use of cookies.Learn more