security issue with requests outside of www root

[Cotix]

It is possible to request parent directories.

cotix@lithium:~$ nc localhost 9999
GET /../../../../../etc/passwd HTTP/1.0

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: no-cache
Content-length: 2333
Content-type: text/plain

root:x:0:0:root:/root:/bin/bash
... my whole /etc/passwd

It is also possible to query absolute paths:

cotix@lithium:~$ nc localhost 9999
GET //etc/passwd HTTP/1.0

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: no-cache
Content-length: 2333
Content-type: text/plain

root:x:0:0:root:/root:/bin/bash

[timsoftgit]

this can be fixed by changing the lines

 if(uri[0] == '/'){
         filename = uri + 1;

for
while (filename[0] == '/') { filename = filename+1; }
and removing the extra closing brace }
it prevents the //etc/passwd style direct path hack and seems to prevent /../../../etc/passwd style indirect directory hack as well

[keymandll]

@timsoftgit does not it prevent the /../../../etc/passwd style attack because URI ends up being ../../../etc/passwd style? I suggest you try your suggested fix with the below payload (URI) as well.

//../../../etc/passwd

[timsoftgit]

you're right. To do it properly you have to filter out all ../ recursively as well, otherwise something like
....//....//etc/passwd would also be a problem.