rdesarz / rust-http-server Goto Github PK

Hello! I have been interested in running a simple web server for a small project and I have decided to use this time to learn Rust! In my search for understanding web server hosting with Rust I came across your repo and was interested in what it offered.

Your program so far has been quite wonderful I can say but, of course, I would not be writing you an issue if I found it was perfect.

I come from a hacking background and always try to find vulnerabilities in software I write and in things I use. I am, of course, a white hat and do not use this information for malicious purposes and instead report it to the appropriate person(s).

I understand that this software is not a big name library for web hosting solutions in rust but I do think I have an offer for you to learn yourself smart and improve your skills just a little more!

This is where I begin to describe the attack and what I have found:

Bug Explained

The way that this web server hosts it's content via calling it in the url: i.e localhost:8080/hello.html is fundamentally flawed

My first instinct was to try and asking for /.. which did not do anything however this is because I ran this on a Windows machine which is obviously not Linux. Thinking into this I started going for Windows syntax like C:\ and luckily there is not a system in place that offers a page that gives you directory contents but if you know what you are looking for you can still access everything in the system with a valid URL to it. I tried accessing files with spaces but that seems to not work so they may be safe but otherwise any other file can be accessed.

I would put money on if this system were ran on a linux machine and someone had improperly managed permissions that the /etc/passwd or /etc/shadow file could be displayed for all to see if asked nicely from this rust server.

TL;DR bad stuff

Conclusion

I think ultimately from this, it does not matter. Technically speaking this should not be used by anyone in a production manner but not everyone has the forethought to say "Hey! This might not be secured! I shouldn't assume the person who wrote this thought everything through and bug tested! This is not production level material!" I would say that it would be a good opportunity for the author to maybe implement security into their software and learn something about it. Otherwise this is just me putting it out there that this software is not safe to use at all.

and furthermore THANK YOU for giving me a half hour of fun bug testing and getting back into my roots :)!