![Web server definition Web server definition](http://faculty.cs.tamu.edu/rabi/ppcproj/webserver/Image41.gif)
From: Matt Moore To: bugtraq Subject: wp-02-0001: GoAhead Web Server Directory Traversal + Cross Site Scripting Date: Wed, 10 Jul 2002 11:59:05 +0100 Westpoint Security Advisory Title: GoAhead Web Server Directory Traversal + Cross Site Scripting Risk Rating: Medium Software: GoAhead Web Server v2.1 Platforms: Windows NT/98/95/CE Embedded Linux Linux QNX Novell Netware + others Vendor URL: www.goahead.com/webserver/webserver.htm Author: Matt Moore Date: 10th July 2002 Advisory ID#: wp-02-0001 Overview: GoAhead is an open source 'embedded' web server. Apparently used in various networking devices from several blue chip companies.
( ) Details: Cross Site Scripting via 404 messages. GoAhead quotes back the requested URL when responding with a 404. Hence it is possible to perform cross-site scripting attacks, e.g: GoAhead-server/SCRIPTalert(document.domain)/SCRIPT Read arbitrary files from the server running GoAhead(Directory Traversal) - GoAhead is vulnerable to a directory traversal bug.
Technical Analysis and Recommended Solution of GoAhead httpd/2.5 to 3.5 LD_PRELOAD Remote Code Execution Vulnerability (CVE-2017-17562) On January 5, 2018 By adeline A remote RCE vulnerability (CVE-2017-17562) was found in all GoAhead Web Server’s versions earlier than 3.6.5. The said vulnerability affects GoAhead, a tiny web server package created by Embedthis Software LLC, a company based in Seattle, USA.
A request such as GoAhead-server/./././././././ results in an error message 'Cannot open URL'. However, by encoding the '/' character, it is possible to break out of the web root and read arbitrary files from the server. Hence a request like: GoAhead-server/.%5C.%5C.%5C.%5C.%5C.%5C/winnt/win.ini returns the contents of the win.ini file. Vendor Response: I was unable to obtain any response from GoAhead technical support regarding the identified issues.
![Goahead Web Server Update Goahead Web Server Update](/uploads/1/2/5/3/125377685/665105472.png)
Patch Information: No vendor response, so unsure if fixed version available. Security History: - Directory Traversal - Denial of Service - Denial of Service This advisory is available online at: ( to post comments).
A remote RCE vulnerability (CVE-2017-17562) was found in all GoAhead Web Server’s versions earlier than 3.6.5. The vulnerability is a result of initializing the environment of forked CGI scripts using untrusted HTTP request parameters, and will affect all users who have CGI support enabled with dynamically linked executables (CGI scripts). This behavior, when combined with the glibc dynamic linker, can be abused for remote code execution using special variables such as LDPRELOAD.
Reference links: Affected Versions GoAhead Web Server Version = 3.6.5 Solutions Users’ Self-Inspection This vulnerability has impact on users who have enabled dynamically linked executables on Linux server. Besides, users should check their GoAhead Web Server version to see if it is affected. If it’s earlier than version 3.6.5, risk exists. The following commands can be used to check the version:./goahead –version Patches from Vendor The vendor has released patches to fix this issue in its new version. Users are advised to upgrade immediately by saving and applying auth.txt and route.txt files to the new version. Reference links: Recommended Solution from NSFOCUS Using NSFOCUS detection products and service.
Use NSFOCUS Cloud to get quick online detection for public assets, available at the following link:. Use NSFOCUS Intrusion Detection System (IDS) to detect intranet assets. Find the latest patch at the following link and carry out the detection. Using NSFOCUS prevention products. Intrusion prevention system (IPS). Next-generation Firewall (NF).
Web Application Firewall (WAF) Please update to the latest version for immediate protection. Technical Analysis GoAhead CGI process cannot filter parameters correctly when handling HTTP requests. It can be employed to inject variable LDPRELOAD and bring RCE risk.
Function cgihandler of goahead/src/cgi.c is used to handle HTTP requests: It references key-values from HTTP request parameters and uses them in envp groups as environment variables to pass on to function launchCgi for CGI execution. Function launchCgi executes the mentioned-above environment variables as environment variables of CGI through execve. On Linux system it is possible to use LDPRELOAD environment variables to hook and hijack function execution flows, just as we’ve known. We can see that only REMOTEHOST and HTTPAUTHORIZATION were filtered in the function. The parameters in HTTP requests are directly assigned to envp groups by “envpn = sfmt(“%s=%s”, s-name.value.string, s-content.value.string);”, and then the envp groups are used as environment variables in CGI process. That means a malicious HTTP request will make CGI execute designated shared object files. Vulnerability Remediation The vendor fixed this issue in June 2017 as shown on its official website.
HTTP parameter filtering commands have been added in the patch to prevent unintended parameters from going into environment variables. In addition to “LD” variables, characters like CDPATH and IFS are also in the filtering list. Posted in, Post navigation.