|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: UkR-XblP™ (cuctema
OK.RU)Date: Mon Feb 12 2001 - 08:15:48 CST
-----------UkR security team advisory #1 ------------
WebSPIRS CGI script "show files" Vulnerability.
--------------------------------------------------
Name: WebSPIRS CGI script "show files" Vulnerability.
Date: 27.01.2001
About: WebSPIRS is SilverPlatter's Information Retrieval
System for the World Wide Web (WWW). It is a common gateway
interface (CGI) application which allows any forms-capable
browser, such as Netscape, to search SilverPlatter (SP)
Electronic Reference Library (ERL) databases available over
the Internet. http://www.silverplatter.com.
Problem: Problem lyes in incorrect validation of user
submitted-by-browser information, that can show any file of
the system where script installed.
Aothor: UkR-XblP
Exploit: www.target.com/cgi-bin/webspirs.cgi?sp.nextform=../../../../../../path/to/file
Affected: affected in all version of this script
Get your free e-mail address at http://www.zmail.ru
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]