Bugtraq mailing list archives
Re: WebSPIRS CGI script "show files" Vulnerability.
From: Ashwin Kutty <Ashwin.Kutty () Dal Ca>
Date: Tue, 13 Feb 2001 09:09:58 -0400
I have just tried this with WebSpirs 3.1 The URL I tried is.. http://www.targethost.com/spirs/webspirs.cgi?sp.nextform=../../../../../etc/passwd It worked.. I also tried this with WebSpirs 4.2 and it did NOT work.. I have not tried WebSpirs 4.3 yet.. Maybe it is cause you have it in your cgi-bin.. I have it outside my cgi-bin in a different directoty.. In fact, when you try this with WebSpirs 4.2 it says, Security Violation Detected, Contact your Systems Administrator.. In WebSpirs 4.2 the way we have it is, URL/dbname?sp.nextform=blah/blah/blah, Now if you switch the dbname with webspirs.cgi it comes back with no data.. Using it as the dbname?sp.nextform=../../../../etc/passwd gives a security violation message.. WebSpirs 3.1 is Vulnerable.. WebSpirs 4.2 is not.. (In WebSpirs4.2 you do not need to put iwebspirs.cgi) WebSpirs 4.3 is not tested yet.. UkR-XblP wrote:
-----------UkR security team advisory #1 ------------ WebSPIRS CGI script "show files" Vulnerability. -------------------------------------------------- Name: WebSPIRS CGI script "show files" Vulnerability. Date: 27.01.2001 About: WebSPIRS is SilverPlatter's Information Retrieval System for the World Wide Web (WWW). It is a common gateway interface (CGI) application which allows any forms-capable browser, such as Netscape, to search SilverPlatter (SP) Electronic Reference Library (ERL) databases available over the Internet. http://www.silverplatter.com. Problem: Problem lyes in incorrect validation of user submitted-by-browser information, that can show any file of the system where script installed. Aothor: UkR-XblP Exploit: www.target.com/cgi-bin/webspirs.cgi?sp.nextform=../../../../../../path/to/file Affected: affected in all version of this script Get your free e-mail address at http://www.zmail.ru
-- "Wise men talk because they have something to say; fools talk because they have to say something." - Plato Ashwin Kutty Systems Administrator Dalhousie University Libraries (902) 494-2694
Current thread:
- WebSPIRS CGI script "show files" Vulnerability. UkR-XblP (Feb 12)
- Re: WebSPIRS CGI script "show files" Vulnerability. Ashwin Kutty (Feb 13)