Facebook

Fill out this form to subscribe to news, tips and information about updates.

Read more
Search known errors
From date:
To date:

Follow us
Facebook    Twitter    LinkedIn

G&R » Support » Known Errors  

Known Errors

These are the known errors in our products, logged as reported with versions and platforms affected as well as corrections and work-arounds.

This list is largely historical, since it records all problems that have been reported throughout G&R history. Only the most recently reported problems still exist, unless you are using a very old copy of the product, in which case you should update the product to the most recent version.


E1001: GwebS security problems with malformed URLs

Product: GwebS/GwebSS, all versions
Platform: All
Status: Fixed in 6.2, fix available for 6.1.1 and 6.0.3
Last updated: 2004-06-24 13:57:53

When processing a request for a disk file, such as "http://www.gar.no/gweb
/index.htm", GwebS normally replaces a fixed part of the URL with a path to
the disk directory where the file exists. For example, "http://www.gar.no"
could be replaced with "c:\gar\html". The result of this is given to the
file system, and - if the file exists - the file's content is delivered to
the user's browser.

However, if the web server request contained "/.." sequences, meaning "up
one directory level", GwebS could use a file outside the top-level
directory of the web server configuration. This could lead to a security
problem.

The corrected version of GwebS verifies that "/.." sequences in the HTTP
request does not compromise the web server security.

Avoidance procedure: None. Install a corrected version of gwebs/gwebss as
soon as possible.
(c) Copyright 1982-2017 Gallagher & Robertson AS. Webmaster: webmaster@gar.no

URL: http://www.gar.no/support/errors
 
PARTNERS