I think you mean "Traversal", not "Transversal". It's a directory traversal attack, because you're using relative paths (EG ../../../etc/passwd) to traverse the filesystem while avoiding most of the common checks done by software to see that they're not being abused (EG paths don't begin with a '/' in order to detect if a filename is given). Even when checks are in place to attempt the resolution of pathnames, they're not always sufficient - see, for instance, the Microsoft Unicode double-escape directory traversal attack in IIS.

The other issue is considerably more serious, though: what in the name of sodding bloody buggering hell is the webserver doing with access to a key file that ought to be root-owned and that the server ought to have read into memory before dropping the hell away from superuser privileges and certainly before even thinking about accepting queries over the network?

Cheers,

Sabahattin

wasn't UK Security Consultant Daniel Cuthbert arrested & convicted in 2005 for typing something similar that a BT monitoring outfit picked-up, "non-invasive Tsunami site access" ../../ might not be safe at work, or home!

obvious solution is to use ToR , except that many major ToR nodes are hosted by happy people like...."Major nodes hosted anonymously dedicated to ToR by the same person/organization in Washington DC. Each handling 5-10TB data every month"... so ToR exit skimming is a given....

Haven't bugs like this been known for a whole lot longer than 7 years?

http://www.samizdata.net/blog/archives/008118.html

Remember guys... no doing this trick in Germany. You'll be locked up for "hacking".

(Too lazy to locate the old El'Reg story on this... it's in there somewhere... :))

The certificate is most certainly not self-signed. More interestingly, the cert is in fact a certificate signing certificate - ie. a CA cert - from Verisign.

The fact that it expired in 2004 seems to have passed a lot of people by, though.

Still - if the corresponding private key is still being used, then a lot of mischief could happen.

If they'd installed mod_security (http://www.modsecurity.org/) with the standard rules to prevent directory traversal attacks then this would never have happened, despite the flaw in their application.

Mike Cardwell

Directory traversal is a crime in the UK under the Computer Misuse Act of 1990.

http://www.scl.org/editorial.asp?i=1098

Careful, the penalties can include jail sentences, and if you get arrested some pompous dick of a police officer will hold a press conference telling everyone that such crimes will not be permitted, and we will send a "strong message to someone about something".

Mostly it just sends a message how f*cked up the UK is.

So remember, FORWARD directory traversals are currently not being prosecuted, but BACKWARDS directory traversals ARE BEING PROSECUTED. Be careful to explain that to any children you have, the net is a dangerous place, one click and you can be snatched by the rozzers.

/name/ is ok unless the folder was intended to be secret

../name is definitely a no no unless the website owner explicitly used it in a URL

./name is borderline

I'm no security expert, but isn't the fix for this trivial? Run the webserver under a user account that doesn't have access to anything but the web directories and the server binaries.

That way, the OS security settings are a backstop that will stop badly-written CGI scripts, or anything else, "escaping" the web root.

Or am I missing something?

@ Mark Allen

Looks like the German Gov't is going to have to prosecute itself under its own new "hacking" laws.

http://blog.fukami.io/archives/2007/09/17/202c-bsi-charged-for-distribution-of-boss/

"...filed a charge against German <a href="http://www.bsi.de/">BSI</a>. BSI stands for: Bundesamt für Sicherheit in der Informationstechnik (Federal Office for Information Security) and they are the central IT security service provider for the German government. The reason for the charge is BSIs distribution of BOSS (BSI OSS Security Suite), which is basically a Live CD containing Open Source security tools such as Nessus and John the Ripper."