Bugtraq mailing list archives
CGI: Selena Sol's WebBanner ( Random Banner Generator ) Vulnerability
From: jwesterink () JOHANNES2 DAXIS NL (Johannes Westerink)
Date: Tue, 13 Jun 2000 08:55:53 +0200
Application Name: WebBanner (Random Banner Generator) Application Authors: Eric Tachibana (Selena Sol) and Gunther Birznieks Version: 4.0 Last Modified: 17NOV98 Site: http://www.extropia.com Origin: Script design fault Consequence: User can view files as user the server are running Solution: See at the bottom at this page Description: ~~~~~~~~~~~~~ At your browser, type simply:
http://yourdomain/random_banner/index.cgi?image_list=alternative_image.list& html_file=../../../../../etc/passwd should view passwd file as user nobody. ( if server is serving page as user nobody ... ) I have try to execute a command with |, but it will not work always, because the script is running standard with -T option: #!/usr/bin/perl -T, you can first view the script code with above way, check if there is a -T option, if not, you can execute any command as nobody user ( ....&html_file=|ls -la| ) Solution: ~~~~~~~~~~ A snippet of script index.cgi at line 195 without comments: >---[ line 195 + ]------------------------------------------------- open (HTML_FILE, "$html_file") || &CgiDie (" blablabla... "); while (<HTML_FILE>) { if (/\<!--IMG GOES HERE--\>/) { print qq! <A HREF = "$random_url"> <IMG SRC = "$image_url/$random_image"></A>!; } else print "$_"; } } close (HTML_FILE); <------------------------------------------------------------------ above snippet is not save code, to make them safier: Good code must be seems like this: >---[ change above snippet to this snippet! ]---------------------- $html_file =~ s/\%([\d\w]{2})/pack('c',hex($1))/gie; if( $html_file =~ /\.\.\/|\|/ ) { &CgiDie( "Not allowed... " ); } else { open (HTML_FILE, "$html_file") || &CgiDie ( "I'm sorry, but I was unable to open the requested HTML file in the Insert Random Banner Into Page routine. The value I have is $html_file. Would you please check the path and the permissions for the file." ); while (<HTML_FILE>) { if (/\<!--IMG GOES HERE--\>/) { print qq! <A HREF = "$random_url"> <IMG SRC = "$image_url/$random_image"></A>!; } else print "$_"; } } close (HTML_FILE); } <------------------------------------------------------------------ Then you can get alone a file on current directory or upper directory. ---------------------------------------------------------------------------- -------- -- Sorry for my bad english, and -- -- ... am badhearing (nearly deaf), that's why -- ---------------------------------------------------------------------------- -------- Johannes Westerink jwesterink () daxis nl
Current thread:
- CONECTIVA LINUX SECURITY ANNOUNCEMENT - kernel, (continued)
- CONECTIVA LINUX SECURITY ANNOUNCEMENT - kernel Sergio Bruder (Jun 08)
- Sendmail & procmail local root exploits on Linux kernel up to 2.2.16pre5 Wojciech Purczynski (Jun 08)
- OpenSSH's UseLogin option allows remote access with root privilege. Markus Friedl (Jun 09)
- Re: OpenSSH's UseLogin option allows remote access with root privilege. Bernhard Rosenkraenzer (Jun 10)
- Re: OpenSSH's UseLogin option allows remote access with root privilege. Phil Stracchino (Jun 10)
- IBM WebSphere JSP showcode vulnerability stuart.mcclure () FOUNDSTONE COM (Jun 11)
- Re: OpenSSH's UseLogin option allows remote access with root privilege. Markus Friedl (Jun 12)
- Using IP Filter to protect FW-1 4.0 (fwd) Darren Reed (Jun 12)
- FreeBSD Security Advisory: FreeBSD-SA-00:25.alpha-dev-random FreeBSD Security Advisories (Jun 12)
- RFPolicy for vulnerability disclosure rain forest puppy (Jun 12)
- CGI: Selena Sol's WebBanner ( Random Banner Generator ) Vulnerability Johannes Westerink (Jun 12)
- SmartFTP Daemon v0.2 Beta Build 9 - Remote Exploit Moritz Jodeit (Jun 13)
- Ethics ?? : Re: local root on linux 2.2.15 Gerrie (Jun 10)
- Re: OpenSSH's UseLogin option allows remote access with root privilege. Bernhard Rosenkraenzer (Jun 10)
- CONECTIVA LINUX SECURITY ANNOUNCEMENT - OPENSSH Andreas Hasenack (Jun 10)
- Trustix Security Advisory Oystein Viggen (Jun 09)
- Security Advisory: MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC Tom Yu (Jun 09)
- Remote DOS in linux rpc.lockd mmurray () FSCINTERNET COM (Jun 08)
- Re: Security Advisory: MULTIPLE DENIAL OF SERVICE VULNERABILITIES IN KRB4 KDC Mike Friedman (Jun 09)
- Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities Antonio Galea (Jun 15)
- Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities Lionel Cons (Jun 16)
- Call For Participation - Raid 2000 Herve Debar (Jun 16)