Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: WebSPIRS CGI script "show files" Vulnerability.

From: Ashwin Kutty <Ashwin.Kutty () Dal Ca>
Date: Tue, 13 Feb 2001 09:09:58 -0400
I have just tried this with WebSpirs 3.1
The URL I tried is..
http://www.targethost.com/spirs/webspirs.cgi?sp.nextform=../../../../../etc/passwd

 It worked.. I also tried this with WebSpirs 4.2 and it did NOT work.. I have not tried
WebSpirs 4.3 yet.. Maybe it is cause you have it in your cgi-bin.. I have it outside my
cgi-bin in a different directoty.. In fact, when you try this with WebSpirs 4.2 it says,
Security Violation Detected, Contact your Systems Administrator.. In WebSpirs 4.2 the way
we have it is, URL/dbname?sp.nextform=blah/blah/blah, Now if you switch the dbname with
webspirs.cgi it comes back with no data.. Using it as the
dbname?sp.nextform=../../../../etc/passwd gives a security violation message..

WebSpirs 3.1 is Vulnerable..
WebSpirs 4.2 is not.. (In WebSpirs4.2 you do not need to put iwebspirs.cgi)
WebSpirs 4.3 is not tested yet..

UkR-XblP wrote:


-----------UkR security team advisory #1 ------------
WebSPIRS CGI script "show files" Vulnerability.
--------------------------------------------------

Name: WebSPIRS CGI script "show files" Vulnerability.
Date: 27.01.2001
About: WebSPIRS is SilverPlatter's Information Retrieval
System for the World Wide Web (WWW). It is a common gateway
interface (CGI) application which allows any forms-capable
browser, such as Netscape, to search SilverPlatter (SP)
Electronic Reference Library (ERL) databases available over
the Internet. http://www.silverplatter.com.
Problem: Problem lyes in incorrect validation of user
submitted-by-browser information, that can show any file of
the system where script installed.
Aothor: UkR-XblP
Exploit: www.target.com/cgi-bin/webspirs.cgi?sp.nextform=../../../../../../path/to/file
Affected: affected in all version of this script

Get your free e-mail address at http://www.zmail.ru


--
"Wise men talk because they have something to say; fools talk
because they have to say something." - Plato

Ashwin Kutty
Systems Administrator
Dalhousie University Libraries
(902) 494-2694
Previous By Date Next
Previous By Thread Next

Current thread: