We received the following post on the WLMP Project (http://wlmp.dtech.hu) forum:
To whom it may concern,
I am not sure whether or not the Win32 build of Lighttpd is officially supported,
but I would like to report a security vulnerability specific to this specific release.
The vulnerability is due to an NTFS-specific feature, called an ADS stream. Using this feature, it is possible to retrieve the source code of a file stream that would normally be interpreted by e.g. PHP using the ":$DATA". (I believe IIS and/or Apache had similar vulnerabilities; Apache on Win32 completely forbids the ":" character in URLs now.)
Example:
You can retrieve the source code of http://wlmp.dtech.hu/index.php by using the URL http://wlmp.dtech.hu/index.php::$DATA
I'm not sure whether there are additional parameters similar to ":$DATA", but I think it's safe to say that ADS streams should be ignored/disallowed completely. The feature isn't very well documented and not very commonly used.
More information about NTFS/ADS can be found at http://en.wikipedia.org/wiki/NTFS
Regards,
Ben de Graaff
We can confirm the existence of this vulnerability.
Proposed solution in src/request.c
Replace
int request_uri_is_valid_char(unsigned char c) {
if (c <= 32) return 0;
if (c == 127) return 0;
if (c == 255) return 0;
return 1;
}
with
int request_uri_is_valid_char(unsigned char c) {
if (c <= 32) return 0;
if (c == 58) return 0; // 58 is the ASCII code for ':'
if (c == 127) return 0;
if (c == 255) return 0;
return 1;
}
