Vulnerability Development mailing list archives
Re: Serious Hole in Comment/Discussion CGI Script
From: Barry Russell <bjz11600 () PRODIGY NET>
Date: Thu, 26 Oct 2000 20:10:40 -0400
Well I tried the nullbyte/%00 trick and it was a no go. And no the script does not parse out metacharacters Vitaly McLain wrote:
Hi, I am not too good with Perl, but I think I see potential for some exploitation here. You said you were able to open text-files because of... open(FILE, "commentdata/$article.txt"); Does the script parse out any metacharachters from $article? If it does not, then it has major problems. The direct avenue of attack would be to try directory transversal, i.e trying to view a file like ../../../../../etc/passwd. Obviously this won't work, because there will be a .txt appended to passwd, and that is why you should try that "null trick" you mentioned. Append a %00 to the end, which should confuse Perl into only seeing the /etc/passwd part when opening the script (see Phrack #55 for more info.) Good luck. Vitaly McLain twistah () datasurge net
Current thread:
- Serious Hole in Comment/Discussion CGI Script Barry Russell (Oct 27)
- Re: Serious Hole in Comment/Discussion CGI Script Vitaly McLain (Oct 27)
- Re: Serious Hole in Comment/Discussion CGI Script Barry Russell (Oct 27)
- Re: Serious Hole in Comment/Discussion CGI Script Joe (Oct 29)
- Re: Serious Hole in Comment/Discussion CGI Script Taneli Huuskonen (Oct 31)
- <Possible follow-ups>
- FW: Serious Hole in Comment/Discussion CGI Script Richard Bartlett (Oct 28)
- Re: FW: Serious Hole in Comment/Discussion CGI Script Bluefish (P.Magnusson) (Oct 29)
- Re: Serious Hole in Comment/Discussion CGI Script Vitaly McLain (Oct 27)