Forum

Sending url with ../../ in the path via a POST

Phil Daintree
23 January 2010, 23:51

Hiawatha version: 6.16
Operating System: Puppy Linux 4.3.1

Hugo,
I am trying to debug an XML-RPC call to the application I work on webERP http://www.weberp.org
We are using the Ed Dumbhill xml-rpc class

/ by Edd Dumbill (C) 1999-2002

// <edd@usefulinc.com>

// $Id: xmlrpc.inc,v 1.174 2009/03/16 19:36:38 ggiunta Exp $

The process is to open a socket to the web-server with

<code>$fp=@fsockopen($connectserver, $connectport, $this->errno, $this->errstr, $timeout);</code>

then send the POST as a string - the string concerned that is failing is:

<code>POST /webERP/doc/Manual/../../api/api_xml-rpc.php HTTP/1.0 User-Agent: XML-RPC for PHP 3.0.0.beta Host: localhost:80 Accept-Encoding: gzip, deflate Accept-Charset: UTF-8,ISO-8859-1,US-ASCII Content-Type: text/xml Content-Length: 111 system.listMethods</code>

You'll notice that the string contains a URL with ../../ in it. If I hard code the URL as

<code>webERP/api/api_xml-rpc.php</code>

then the method works fine. It is the resolving of the URL with the ../../ in there that gives the problem.

When I enter the URL manually into the browser it resolves OK - but sending it directly to the web-server as a string is not resolving correctly and I get a not found.

You can see this yourself if you have webERP installed and you try to open the API Manual - the API manual is written as an XML-RPC client to the webERP XML-RPC API - which iterates through the methods to get the manual text. It's too clever for me - it was written by a someone else. This works under apache :-(

Phil
Hugo Leisink
24 January 2010, 10:17
Having .. in your URL can lead to directory traversal. That's why Hiawatha denies requests which contains it. Having .. in an URL is totally unnecessary. A web application which uses it is badly designed. I know Apache supports all sorts of bad and insecure designed web applications. But with Hiawatha I refuse to go that way.

The reason why an URL which contains .. works well in a browser, is because a browser will remove it before sending the URL to a webserver.

My advice: remove the .. from the web application and send a bug report to the author.
This topic has been closed.