Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Security Advisory : eXtropia WebStore (web_store.cgi) Directory Traversal Vulnerability

From: f0bic <f0bic () deadprotocol org>
Date: Mon, 9 Oct 2000 03:45:41 -0400
[ October 9, 2000 ]


Security Advisory (web_store.cgi.ad-1.00-10) : eXtropia WebStore (web_store.cgi) Directory Traversal Vulnerability




Affected Product/Version:

        * eXtropia WebStore (web_store.cgi/html_web_store.cgi)


Affected Platforms:

        * Unix
        * Windows


Overview:

        The Web Store is a shopping cart product by eXtropia. This script merges Selena Sol's Electronic Outlet HTML
        and Database shopping cart apps and adds all new routines for error handling, order processing, encrypted 
mailing,
        frames, Javascript and VBscript.


Description:

        The Web Store is made up of a variety of scripts, of which one is the main routine, web_store.cgi. The $page 
variable,
        lets you display product/shopping html files. web_store.cgi checks for the file extension of the $page input, 
it has
        to be ended by a .html extension. In other words, 
http://example.com/cgi-bin/Web_Store/web_store.cgi?page=page.html,
        would open page.html in the browser. It checks for the .html extension like so:

                sub error_check_form_data
                {
                  foreach $file_extension (@acceptable_file_extensions_to_display)
                  {
                  if ($page =~ /$file_extension/ || $page eq "")
                  {
                  $valid_extension = "yes";
                  }
                }

        The open() call is displayed here:

                sub display_page
                  {
                  local ($page, $routine, $file, $line) = @_;

                  # the subroutine begins by opening the requested file for
                  # reading, exiting with file_open_error if there is a
                  # problem as usual.

                open (PAGE, "<$page") ||
                &file_open_error("$page", "$routine", $file, $line);


        Taking this information into account, if you would want to open the /etc/inetd.conf file, a request for
        http://example.com/cgi-bin/Web_Store/web_store.cgi??page=../../../../../../../../etc/inetd.conf would fail 
since it
        does not fullfill the $file_extension check. This problem can be bypassed by using a NULL (%00) character that 
by
        perl is seen as a character, but by the underlaying language is interpreted as a \0 escape sequence character.
        All the characters following the %00 will be ignored and so the file can be opened in the following manner:
        http://example.com/cgi-bin/Web_store/web_store.cgi?page=../../../../../../../../etc/inetd.conf%00.html
        This will result in opening the /etc/inetd.conf file. In this manner, arbitrary files could be read.


Solution:

        By the use of regex you could add better input validation checking that prevents double dot strings from being 
passed
        through the open() call.


Resources & References:

        * eXtropia's Webpage: http://www.extropia.com


---------------------------------
by f0bic (f0bic () deadprotocol org)
zSh - http://zsh.interniq.org
Previous By Date Next
Previous By Thread Next

Current thread: