Forum
Sending url with ../../ in the path via a POST
Phil Daintree
23 January 2010, 23:51
Hiawatha version: 6.16
Operating System: Puppy Linux 4.3.1
Hugo,
I am trying to debug an XML-RPC call to the application I work on webERP http://www.weberp.org
We are using the Ed Dumbhill xml-rpc class
/ by Edd Dumbill (C) 1999-2002
// <edd@usefulinc.com>
// $Id: xmlrpc.inc,v 1.174 2009/03/16 19:36:38 ggiunta Exp $
The process is to open a socket to the web-server with
<code>$fp=@fsockopen($connectserver, $connectport, $this->errno, $this->errstr, $timeout);</code>
then send the POST as a string - the string concerned that is failing is:
<code>POST /webERP/doc/Manual/../../api/api_xml-rpc.php HTTP/1.0 User-Agent: XML-RPC for PHP 3.0.0.beta Host: localhost:80 Accept-Encoding: gzip, deflate Accept-Charset: UTF-8,ISO-8859-1,US-ASCII Content-Type: text/xml Content-Length: 111 system.listMethods</code>
You'll notice that the string contains a URL with ../../ in it. If I hard code the URL as
<code>webERP/api/api_xml-rpc.php</code>
then the method works fine. It is the resolving of the URL with the ../../ in there that gives the problem.
When I enter the URL manually into the browser it resolves OK - but sending it directly to the web-server as a string is not resolving correctly and I get a not found.
You can see this yourself if you have webERP installed and you try to open the API Manual - the API manual is written as an XML-RPC client to the webERP XML-RPC API - which iterates through the methods to get the manual text. It's too clever for me - it was written by a someone else. This works under apache :-(
Phil
Hugo Leisink
24 January 2010, 10:17
Having .. in your URL can lead to directory traversal. That's why Hiawatha denies requests which contains it. Having .. in an URL is totally unnecessary. A web application which uses it is badly designed. I know Apache supports all sorts of bad and insecure designed web applications. But with Hiawatha I refuse to go that way.
The reason why an URL which contains .. works well in a browser, is because a browser will remove it before sending the URL to a webserver.
My advice: remove the .. from the web application and send a bug report to the author.
The reason why an URL which contains .. works well in a browser, is because a browser will remove it before sending the URL to a webserver.
My advice: remove the .. from the web application and send a bug report to the author.
This topic has been closed.
Copyright © by Hugo Leisink. All rights reserved.
Built upon the Banshee PHP framework.
Built upon the Banshee PHP framework.
