Source Code Disclosure in Yaws Webserver

SEC-CONSULT Security Advisory < 20050616-0 >

=======================================================================

title: Source Code Disclosure in Yaws Webserver

program: Yaws Webserver

vulnerable version: 1.55 and earlier

homepage: yaws.hyber.org

found: 2005-06-01

by: M. Eiszner / SEC-CONSULT / www.sec-consult.com

=======================================================================

 

vendor description:

---------------

 

Yaws is a HTTP high perfomance 1.1 webserver. Two separate modes of

operations are supported:

* Standalone mode where Yaws runs as a regular webserver daemon.

This is the default mode.

* Embedded mode where Yaws runs as an embedded webserver in another

erlang application.

 

Yaws is entirely written in Erlang furthermore it is a multithreaded

webserver where one Erlang light weight process is used to handle each

client.

 

 

vulnerabilty overview:

---------------

 

If a null byte is appended to the filename of a yaws script (.yaws), the

yaws webserver returns a page containing the source code of the

according script. This flaw allows a malicious attacker to analyse the

source code of the entire web application, which might result in the

attacker gaining sensitiv information like passwords.

 

 

proof of concept:

---------------

 

The yaws homepage itself was vulnerable to the attack. Opening the link

yaws.hyber.org/dynamic.yaws%00 in a browser resulted in the

display of the following code (only the first couple of lines...):

--- code ---
<erl>


box(Str) ->
    {'div',[{class,"box"}],
     {pre, [], yaws_api:htmlize(Str)}}.

tbox(T) ->
    box(lists:flatten(io_lib:format("~p",[T]))).

...
--- /code ---

 

 

vulnerable versions:

---------------

 

It seems that version 1.55 as well as all prior versions are vulnerable

to the attack described above.

 

 

vendor status:

---------------

vendor notified: 2005-06-16

vendor response: 2005-06-16

patch available: 2005-06-16

 

Vendor was extremly fast to response and post a fix. This is what

vendor vulnerability management should be like!

 

Download Patch from: yaws.hyber.org/yaws-1.55_to_1.56.patch

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Unternehmensberatung GmbH

 

Office Vienna

Blindengasse 3

A-1080 Wien

Austria

 

Tel.: +43 / 1 / 409 0307 - 570

Fax.: +43 / 1 / 409 0307 - 590

Mail: office at sec-consult dot com

www.sec-consult.com

 

EOF Daniel Fabian / @2005

d.fabian at sec-consult dot com