Bugtraq mailing list archives
Vulnerability in Poll_It cgi v2.0
From: adrian () TUCOWS COM (Adrian Daminato)
Date: Thu, 6 Jul 2000 08:54:45 -0400
This has already been sent to securityfocus.com and cgi-world.com. It is now listed at securityfocus.com at http://www.securityfocus.com/bid/1431. Original email that I sent is below: The CGI is available from: http://www.cgi-world.com/pollit.html The bug takes place when calling the CGI and passing it parameters that overwrite settings initialized in the CGI: /cgi-bin/pollit/Poll_It_SSI_v2.0.cgi?data_dir=/etc/passwd%00 Because the CGI initializes it's internal variables before parsing any form data, and the method it uses to parse form data overwrites internal variables (in this case, $data_dir), it is possible to retrieve any files readable by the webserver. On line 78 is the line: %in = &ReadForm; Moving it above the local variable initializations to line 66, causes any internally used variables to be initialized after the query is processed, therefore insuring that correct data is used for the form. This doesn't appear to change the usability of the CGI, and from what I can determine, doesn't create any other security concerns (although of this fact I am not 100% certain). This email has been sent to both securityfocus.com and to contact () cgi-world com -- Adrian Daminato Tucows International Corp. http://www.tucows.com Tel: (416) 535-0123 Fax: (416) 531-5584 "It is looking at things for a long time that ripens you and gives you a deeper understanding." -- Vincent Van Gogh
Current thread:
- Vulnerability in Poll_It cgi v2.0 Adrian Daminato (Jul 06)