OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: UkR-XblP™ (cuctemaOK.RU)
Date: Mon Feb 12 2001 - 08:15:48 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----------UkR security team advisory #1 ------------
    WebSPIRS CGI script "show files" Vulnerability.
    --------------------------------------------------

    Name: WebSPIRS CGI script "show files" Vulnerability.
    Date: 27.01.2001
    About: WebSPIRS is SilverPlatter's Information Retrieval
    System for the World Wide Web (WWW). It is a common gateway
    interface (CGI) application which allows any forms-capable
    browser, such as Netscape, to search SilverPlatter (SP)
    Electronic Reference Library (ERL) databases available over
    the Internet. http://www.silverplatter.com.
    Problem: Problem lyes in incorrect validation of user
    submitted-by-browser information, that can show any file of
    the system where script installed.
    Aothor: UkR-XblP
    Exploit: www.target.com/cgi-bin/webspirs.cgi?sp.nextform=../../../../../../path/to/file
    Affected: affected in all version of this script

    Get your free e-mail address at http://www.zmail.ru