Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

CGI: Selena Sol's WebBanner ( Random Banner Generator ) Vulnerability

From: jwesterink () JOHANNES2 DAXIS NL (Johannes Westerink)
Date: Tue, 13 Jun 2000 08:55:53 +0200

        Application Name: WebBanner (Random Banner Generator)
     Application Authors: Eric Tachibana (Selena Sol) and Gunther Birznieks
                 Version: 4.0
           Last Modified: 17NOV98
                    Site: http://www.extropia.com

                  Origin: Script design fault
             Consequence: User can view files as user the server are running
                Solution: See at the bottom at this page

Description:
~~~~~~~~~~~~~
        At your browser, type simply:



http://yourdomain/random_banner/index.cgi?image_list=alternative_image.list&;
html_file=../../../../../etc/passwd
        should view passwd file as user nobody. ( if server is serving page as user
nobody ... )

        I have try to execute a command with |, but it will not work always,
because
        the script is running standard with -T option: #!/usr/bin/perl -T, you can
first
        view the script code with above way, check if there is a -T option, if not,
        you can execute any command as nobody user ( ....&html_file=|ls -la| )

Solution:
~~~~~~~~~~
        A snippet of script index.cgi at line 195 without comments:

        >---[ line 195 + ]-------------------------------------------------
        open (HTML_FILE, "$html_file") ||
                &CgiDie (" blablabla... ");
        while (<HTML_FILE>)
        {
                if (/\<!--IMG GOES HERE--\>/)
                {
                        print qq!
                        <A HREF = "$random_url">
                        <IMG SRC = "$image_url/$random_image"></A>!;
                } else

                        print "$_";
                }
        }
        close (HTML_FILE);
        <------------------------------------------------------------------

        above snippet is not save code, to make them safier:

        Good code must be seems like this:
        >---[ change above snippet to this snippet! ]----------------------
        $html_file =~ s/\%([\d\w]{2})/pack('c',hex($1))/gie;

        if( $html_file =~ /\.\.\/|\|/ )
        {
                &CgiDie( "Not allowed... " );
        } else {
                open (HTML_FILE, "$html_file") ||
                        &CgiDie ( "I'm sorry, but I was unable to open the requested
        HTML file in the Insert Random Banner Into Page routine.  The
        value I have is $html_file.  Would you please check the path and
        the permissions for the file." );
                while (<HTML_FILE>)
                {
                        if (/\<!--IMG GOES HERE--\>/)
                        {
                                print qq!
                                <A HREF = "$random_url">
                                <IMG SRC = "$image_url/$random_image"></A>!;
                        } else

                                print "$_";
                        }
                }
                close (HTML_FILE);
        }
        <------------------------------------------------------------------
        Then you can get alone a file on current directory or upper directory.

----------------------------------------------------------------------------
--------
-- Sorry for my bad english, and
              --
-- ... am badhearing (nearly deaf), that's why
   --
----------------------------------------------------------------------------
--------
Johannes Westerink
jwesterink () daxis nl
Previous By Date Next
Previous By Thread Next

Current thread: