Your embedded web server is so 2003

Meet my new favorite web server, the GoAhead WebServer. We’ve been playing around with a handful of embedded devices recently and most developers now give you some sort of web interface to configure them over. Turns out we’ve been seeing a lot of them with GoAhead’s web server, which hasn’t had an official update from the vendor since 2003. This tiny guy is written in C and the source code is downloadable (although you do need a license).

While some vendors have highly customized the server, others are running it fairly as-is with just including their own customized Active Server Pages (ASP). What is interesting from a security stand point is that a number of recent devices we’ve seen are still using old versions of the web server. Old versions that include vulnerabilities like “%5C” directory transversal attacks and changing the file extensions of a request from “.asp” to “.as%70″ to view the server side source. DoS attacks are likely to work (although I think that can be a difficult issue for any embedded web server) and you are also likely to find CSRF attacks against the applications running on this web server since developers will need to roll their own mitigation control for this. Here’s a link to the release notes with security fixes from the latest version of the GoAhead WebServer, updated December 2, 2003.

http://data.goahead.com/Software/Webserver/2.1.8/release.htm

We are all aware how important patching systems can be. My home NAS device got a firmware update a few months ago that I applied. However, even though it’s up-to-date with my vendor, it’s still vulnerable to some issues which are over six years old because they haven’t patched the code from their vendor. So take a look at your embedded device and don’t be afraid to lob some 2003 sauce at them.  You might find that it still works.

Post a comment or leave a trackback: Trackback URL.