OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Serious Hole in Comment/Discussion CGI Script
From: Barry Russell (bjz11600PRODIGY.NET)
Date: Thu Oct 26 2000 - 07:21:53 CDT

I found a sample Comment/Discussion Script that lets visitors visit a
persons site and leave a quick comment. The comments are shown through a

CGI Script, and the script opens the file that has the comments. I
looked at the script and saw that it allows you to read other txt
files(since it uses env query_string to know what file to open), The
code is below, I was wondering if there were any other bugs in this. I
tried openning other files with it but with no luck. Tried the null byte

trick also, any other things wrong with this ?

#--Code--
#!/usr/bin/perl
print "Content-type: text/html\n\n";
($article,$count)=split(/\&/, $ENV{QUERY_STRING});

open(FILE, "commentdata/$article.txt");
lines=<FILE>;
close FILE;
chomp lines;
lines=reverse lines;

foreach $line (lines) {
        ($comment,$name)=split(/\^/, $line);
        print "<font size=1 face=arial>- $comment<Br>";
        $num++;
        last if $num==$count;
}

so far I was only able to read other text files, any suggestions are
appreciated.