Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

[SUPERPETZ ADVISORY #001 - agora.cgi Secret Path Disclosure Vulnerability]

From: superpetz () hushmail com
Date: Mon, 28 Jan 2002 17:28:02 -0800

[SUPERPETZ ADVISORY #001 - agora.cgi Secret Path Disclosure Vulnerability]

 oO ____.
{+_'____.=== 
   /\  /\


TITLE: agora.cgi Secret Path Disclosure Vulnerability
-----

discovery date: January 28th, 2002. 
--------------

publication date: January 28th, 2002.
----------------

impact: sub-minor
------

local: nada
-----

remote: yes!
------

introduction:
------------

agora.cgi is a special "jazzed up" shopping cart product written by Steve Kneizys. If you wanna have fun, you can make 
a special store that sells pretend contraband blank US passports, like I did.

Check it out here:

http://www.agoracgi.com/

background:
----------

This is what is known as a path disclosure vulnerability.  It is not terribly exciting. The general idea behind this 
issue is that an error page is giving out some potentially sensitive information.  Sometimes this information is 
actionable, other times it is totally "big whup!".  Regardless, it is just a bad policy for a CGI to spew out sensitive 
information of any variety. 

details:
-------

This issue can be easily reproduced.  It appears to only be an issue in debug mode.  Ideally, live stores will not have 
debug mode on, but you never know... by the vendor's own admission, he accidentally had his own site running in debug 
mode.

I enter the following URL:

http://agoracgistorehost/cgi-bin/store/agora.cgi?page=pretendpage.html

(please note: pretendpage.html represents a non-existent .html file.  It does not represent a cheeky pretend product 
page, like for example the one I made for contraband black market passports.) 

I get the following feedback (yay!):

ERROR:FILE OPEN ERROR-./html/pages/pretendpage.html
FILE: /home/httpd/cgi-bin/store/agora.cgi
LINE: 1114

This shows the absolute path to the cgi-bin directory that agora.cgi is located in. 

Please consider that agora.cgi is not a dumb program.  It does not like my attempts to feed the "?page=" parameter with 
a directory traversal or a file that does not have a .htm/.html extension.  It just has a tendency to blab the absolute 
path.  My discovery of this vulnerability is purely coincidental.  I tried the more malicious type stuff after finding 
it.

workarounds/solutions:
---------------------

Do not run your agora.cgi store in debug mode. 

vendor response:
---------------

The vendor provided a courteous and timely response to this issue.  He mentioned a cross-site scripting issue with the 
debug mode.  No mention of a fix.  Just advises me not to run the program in debug mode.

terms of vulnerability disclosure:
---------------------------------

The vendor did not cause me headaches or nosebleeds.  The issue is really minor and conditional with a sufficient 
workaround to mitigate the problem.  Based on this criteria I decided to disclose immediately.

copyright:
---------

I don't care if you copy this in whole or in part. Don't matter much to me.

contact:
-------

superpetz () hushmail com
Previous By Date Next
Previous By Thread Next

Current thread: