发布时间 :2005-05-16 00:00:00
修订时间 :2016-10-17 23:19:22

[原文]Pico Server (pServ) 3.2 and earlier allows local users to read arbitrary files as the pServ user via a symlink to a file outside of the web document root.

[CNNVD]PServ Symbolic Link信息泄露漏洞(CNNVD-200505-1056)

        Pico Server (pServ) 3.2及更早版本允许本地用户通过symlink到web文档根目录之外的文件来读取任意文件。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  FULLDISC  20050516 Pico Server (pServ) Local Information Disclosure

- 漏洞信息

PServ Symbolic Link信息泄露漏洞
高危 输入验证
2005-05-16 00:00:00 2006-05-04 00:00:00
        Pico Server (pServ) 3.2及更早版本允许本地用户通过symlink到web文档根目录之外的文件来读取任意文件。

- 公告与补丁


- 漏洞信息 (F39269)

rt-sa-2005-012.txt (PacketStormID:F39269)
2005-08-14 00:00:00
exploit,local,info disclosure

RedTeam found a information disclosure vulnerability in Pico Server (pServ) which results in a local user reading all files on the server with pServ's permissions. Versions 3.2 and below are susceptible.

Advisory: Pico Server (pServ) Local Information Disclosure

RedTeam found a local information disclosure vulnerability in Pico Server
(pServ) which results in a local user reading all files on the server with
pServ's permissions.


Product: Pico Server (pServ)
Affected Version: 3.3, 3.2(verified), < 3.2 probably too
Immune Version: none
OS affected: all
Security-Risk: low
Remote-Exploit: no
Vendor-Status: informed
Advisory-Status: published
CVE: CAN-2005-1367
( #)


Pico Server is a small web server. It is meant to be portable and

* small, portable
* fast
* CGI-BIN support
* auto-indexing of directories
* access and error logging (see p-reporter for an analyzer)
* forking or single-connection at choice

Pico Server (pServ) is written in portable C (K&R style so it can compile on
older compilers too) and sports several options that by means of #define
statements can customize the behavior, the performance and the feature set so
to be able to fit better the the requisites.

pServ follows symlinks without checking whether a symlink points outside the

More Details

pServ does not distinguish normal files from symlinks. Unfortunately it does
furthermore only check the link itself but not check if the symlink target is
still in the webroot. That is why an attacker with access to a directory on
the web server (e.g. via ftp) can put a symlink to any file on the server
there. He can then retrieve that file (if pServe has the permission to read
it) through the web server by navigating his browser to that link.

Proof of Concept

Retrieving /etc/shadow if pServe runs as root:
1. As user go to your web-directory e.g.: cd /usr/local/var/www/userdir
2. Create a link to /etc/shadow: ln -s /etc/shadow
3. Retrieve the shadow file by pointing your browser to


pServe should run as a user with minimal privileges. Files that should not be
read by unprivileged users should have their permissions set accordingly.


The problem will not be fixed in the next version of pServ. From version 3.3
on there is a hint in the readme file that informs of this issue.

Security Risk

The security risk is rated low because an attacker must already have access
to the system. Also usually the administrator will run pServ with minimal
privileges. On the other hand a user could place a link to some directory
(e.g.: / ) without knowing what he is doing.


2005-04-29 found
2005-05-02 first attempt to inform developers
2005-05-02 CAN-number assigned
2005-05-04 second attempt to inform developers
2005-05-16 got the information that the problem will not be fixed. Advisory


RedTeam is a penetration testing group working at the Laboratory for
Dependable Distributed Systems at RWTH-Aachen University. You can find more
Information on the RedTeam Project at


- 漏洞信息

Pico Server (pServ) Symlink Privileged File Disclosure
Local Access Required Race Condition
Loss of Confidentiality
Exploit Public

- 漏洞描述

pServ contains a flaw that may allow a malicious user to view arbitrary files on the system. The issue is due to the web server not differentiating between files and symbolic links. It is possible for a local user with access to the web server directory to create a symbolic link from a critical file on the system to a file in the web server. Visiting the link via the server will disclose the contents of the linked file resulting in a loss of confidentiality.

- 时间线

2005-05-16 2005-04-29
2005-05-16 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

PServ Symbolic Link Information Disclosure Vulnerability
Input Validation Error 13634
No Yes
2005-05-16 12:00:00 2009-07-12 02:56:00
Discovered by Claus R. F. Overbeck <>.

- 受影响的程序版本

Pserv Pserv 3.3
Pserv Pserv 3.2

- 漏洞讨论

pServ is prone to an information disclosure vulnerability through symbolic link files. This occurs because the application will follow symbolic links to files outside the Web root.

This issue was reported to affect pServ 3.2 and 3.3; other versions are likely vulnerable.

- 漏洞利用

An exploit is not required.

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: <>.

- 相关参考