W3.ORG sendtemp.pl

[Tom Parker <tom () ROOTED NET>]

Follows are details of a vunerability I recently discovered in W3.ORGS
sendtemp.pl.

Name: sendtemp.pl (W3C).
Remote: Yes
Local: Yes
Type:

sendtemp.pl: A part of the Amaya Web development server contains a file
disclosure  vulnerability,
which allows remote, read access to files on the servers file system,  as
whichever  UID the httpd is running as.

The Vulnerability is really quite simple..
When the `templ` argument is past to sendtemp.pl it adds a link to the
chosen stylesheet
and a META field containing the publication's  URL of the new file to the
chosen template.
For example: http://localhost/cgi-bin/sendtemp.pl?templ=template.xml
This is all well and good,  however.. There is no sanity checking on the
param you pass to the script..
ie: my $temp_file = param("templ");

So by simply issuing a GET to (for example):
"http://localhost/cgi-bin/sendtemp.pl?templ=../../etc/passwd";
The systems file system can be traversed and the passwd file can be read.
(Assuming the http daemon hasn't been run under chroot())

The below URL contains a simple exploit, although its just as easy to use
your browser.
http://www.rooted.net/code/sendtemp-exp.pl

Note that W3.org are aware of this problem as of 12/01/01.

 Tom Parker - tom () rooted net
 MRX of HHP-Programming (www.hhp-programming.net)
 Global InterSec INC California - Security Audits, Penetration Testing, Code
Auditing.