Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Tom Parker (tomROOTED.NET)
Date: Mon Feb 12 2001 - 19:47:08 CST
Follows are details of a vunerability I recently discovered in W3.ORGS
Name: sendtemp.pl (W3C).
sendtemp.pl: A part of the Amaya Web development server contains a file
which allows remote, read access to files on the servers file system, as
whichever UID the httpd is running as.
The Vulnerability is really quite simple..
When the `templ` argument is past to sendtemp.pl it adds a link to the
and a META field containing the publication's URL of the new file to the
For example: http://localhost/cgi-bin/sendtemp.pl?templ=template.xml
This is all well and good, however.. There is no sanity checking on the
param you pass to the script..
ie: my $temp_file = param("templ");
So by simply issuing a GET to (for example):
The systems file system can be traversed and the passwd file can be read.
(Assuming the http daemon hasn't been run under chroot())
The below URL contains a simple exploit, although its just as easy to use
Note that W3.org are aware of this problem as of 12/01/01.
Tom Parker - tomrooted.net
MRX of HHP-Programming (www.hhp-programming.net)
Global InterSec INC California - Security Audits, Penetration Testing, Code