OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: slipyB10Z.NET
Date: Fri Feb 16 2001 - 01:14:01 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Introduction:

    Thinking Arts LTD E-Commerce package comes
    with a webstore frontend called store.cgi which
    allows people to basically order products on their
    website over a SQL database.

    The vendors website is:
    http://www.thinkingarts.com/

    Problem: Simple Directory Traversal

    Adding the string "/../" to an URL allows an attacker to
    view any file on the server, and also list directories
    within the server which the owner of the vulnerable
    httpd has permissions to access. Remote execution
    of commands does not apear to be possible with this
    directory traversal bug, but directory listings are.
    Please note that you do need the %00.html at the end
    of your command.

    Examples:

    http://www.VULNERABLE.com/cgi-bin/store.cgi?
    StartID=../etc/hosts%00.html
    ^^ = Will obviously open the hosts file.

    http://www.VULNERABLE.com/cgi-bin/store.cgi?
    StartID=../etc/%00.html
    ^^ = Will obviously list the /etc/ directory.

    Solution:

    Vendor has been contacted. No reply from them yet,
    and seeing only 3 sites who signed up for their dumb
    service are affected, so it doesn't really matter now
    does it?

    --------------------
    b10z cgi advisory.
    slipyb10z.net

    February 16th, 2001.