Bugtraq mailing list archives
Security flaw in Count.cgi (wwwcount)
From: drazvan () kappa ro (Razvan Dragomirescu)
Date: Fri, 10 Oct 1997 18:42:37 +0300
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, I have found a vulnerability in Muhammad A. Muquit's wwwcount version 2.3 which allows remote users to read any GIF file on the server, regardless of HTTP permissions set. The file must be readable by the user running the HTTP server and it can be anywhere on the disk (not only under the HTTP daemon's document root directory) It appears that the bug is present ONLY in version 2.3. Older versions do not have it. Here's how it works: Using an URL like http://attacked.host.com/cgi-bin/Count.cgi?display=image&image=../../../../../../path_to_gif/file.gif you can see (and download) any GIF image on the server. You can't use this to download other file types because the program checks the file format. The use for this is not yet very clear, but some companies might have sensitive information in GIF files (charts, drafts etc.). And of course, this is heaven for XXX site hunters who can bypass user-level authentication and download the image if they know the name and the path. And one more thing. A search on AltaVista for "Count.cgi" returned about 200.000 matches. I do not know how many of them were versions 2.3.... but even 50.000 vulnerable computers do not make me feel comfortable. Be good. Razvan P.S. You can find information about wwwcount at http://www.fccc.edu/users/muquit/Count.html - -- Razvan Dragomirescu drazvan () kappa ro drazvan () romania ro drazvan () roedu net drazvan () graypeak com Phone: +40-1-6866621 "Smile, tomorrow will be worse" (Murphy) -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQA/AwUBND5M8FnG/euRPmGVEQKbLwCeJb5/seO2tXUn8+2Evwy/jTyDmgcAn3BP NqhNbPflg/tYJawK+itYODXm =F5tQ -----END PGP SIGNATURE-----
Current thread:
- Re: Possible weakness in LPD protocol Warner Losh (Oct 03)
- Re: Possible weakness in LPD protocol Brett Lymn (Oct 08)
- L0pht Advisory: IMAP4rev1 imapd server We got Food - Fuel - Ice-cold Beer - and X.509 certificates (Oct 08)
- Re: L0pht Advisory: IMAP4rev1 imapd server Marc Slemko (Oct 08)
- SNMP Insecurity Aleph One (Oct 08)
- Malicious Linux modules Runar Jensen (Oct 08)
- Re: L0pht Advisory: IMAP4rev1 imapd server Casper Dik (Oct 09)
- Security flaw in PGPverify of INN Lutz Donnerhacke (Oct 09)
- Re: L0pht Advisory: IMAP4rev1 imapd server Kragen Sitaker (Oct 09)
- Security flaw in Count.cgi (wwwcount) Razvan Dragomirescu (Oct 10)
- Huge security holes in Microsoft FP98 server extensions for Apache Marc Slemko (Oct 11)
- Re: Huge security holes in Microsoft FP98 server extensions for Aleph One (Oct 11)
- DOS PC FTP SERVER Efrain Torres Mejia (Oct 11)
- _very_ poor ISN generation on Ascend MAX (fwd) Marc Slemko (Oct 11)
- Re: L0pht Advisory: IMAP4rev1 imapd server Marc Slemko (Oct 08)
- Another way to exploit local classes in Java Andre L. Dos Santos (Oct 08)
- <Possible follow-ups>
- Re: Possible weakness in LPD protocol Oliver Friedrichs (Oct 03)
- Re: Possible weakness in LPD protocol Eivind Eklund (Oct 03)
- Re: Possible weakness in LPD protocol Doug Hughes (Oct 05)