OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Tom Parker (tomROOTED.NET)
Date: Mon Feb 12 2001 - 19:47:08 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Follows are details of a vunerability I recently discovered in W3.ORGS
    sendtemp.pl.

    Name: sendtemp.pl (W3C).
    Remote: Yes
    Local: Yes
    Type:

    sendtemp.pl: A part of the Amaya Web development server contains a file
    disclosure vulnerability,
    which allows remote, read access to files on the servers file system, as
    whichever UID the httpd is running as.

    The Vulnerability is really quite simple..
    When the `templ` argument is past to sendtemp.pl it adds a link to the
    chosen stylesheet
    and a META field containing the publication's URL of the new file to the
    chosen template.
    For example: http://localhost/cgi-bin/sendtemp.pl?templ=template.xml
    This is all well and good, however.. There is no sanity checking on the
    param you pass to the script..
    ie: my $temp_file = param("templ");

    So by simply issuing a GET to (for example):
    "http://localhost/cgi-bin/sendtemp.pl?templ=../../etc/passwd"
    The systems file system can be traversed and the passwd file can be read.
    (Assuming the http daemon hasn't been run under chroot())

    The below URL contains a simple exploit, although its just as easy to use
    your browser.
    http://www.rooted.net/code/sendtemp-exp.pl

    Note that W3.org are aware of this problem as of 12/01/01.

     Tom Parker - tomrooted.net
     MRX of HHP-Programming (www.hhp-programming.net)
     Global InterSec INC California - Security Audits, Penetration Testing, Code
    Auditing.