Vulnerability Development mailing list archives
FW: Serious Hole in Comment/Discussion CGI Script
From: Richard Bartlett <richard_bartlett () SW2000 COM>
Date: Fri, 27 Oct 2000 12:24:42 +0100
-----Original Message----- From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of Barry Russell Sent: 27 October 2000 01:11 To: VULN-DEV () SECURITYFOCUS COM Subject: Re: Serious Hole in Comment/Discussion CGI Script Well I tried the nullbyte/%00 trick and it was a no go. And no the script does not parse out metacharacters Vitaly McLain wrote:
Hi, I am not too good with Perl, but I think I see potential for some exploitation here. You said you were able to open text-files because of... open(FILE, "commentdata/$article.txt"); Does the script parse out any metacharachters from $article? If it does
not,
then it has major problems. The direct avenue of attack would be to try directory transversal, i.e trying to view a file like ../../../../../etc/passwd. Obviously this won't work, because there will be a .txt appended to passwd, and that is why you should try that "null trick" you mentioned. Append a %00 to the end, which should confuse Perl into only seeing the /etc/passwd part when opening the script (see Phrack #55 for more info.) Good luck. Vitaly McLain twistah () datasurge net
Current thread:
- Serious Hole in Comment/Discussion CGI Script Barry Russell (Oct 27)
- Re: Serious Hole in Comment/Discussion CGI Script Vitaly McLain (Oct 27)
- Re: Serious Hole in Comment/Discussion CGI Script Barry Russell (Oct 27)
- Re: Serious Hole in Comment/Discussion CGI Script Joe (Oct 29)
- Re: Serious Hole in Comment/Discussion CGI Script Taneli Huuskonen (Oct 31)
- <Possible follow-ups>
- FW: Serious Hole in Comment/Discussion CGI Script Richard Bartlett (Oct 28)
- Re: FW: Serious Hole in Comment/Discussion CGI Script Bluefish (P.Magnusson) (Oct 29)
- Re: Serious Hole in Comment/Discussion CGI Script Vitaly McLain (Oct 27)