bjz11600PRODIGY.NET

• Next message: JRC - Techno Logic Consulting: "Re: more iis-unicode questions"
• Previous message: Chico: "internet explorer "update check""
• Next in thread: Joe: "Re: Serious Hole in Comment/Discussion CGI Script"
• Next in thread: Richard Bartlett: "FW: Serious Hole in Comment/Discussion CGI Script"
• Maybe reply: Barry Russell: "Re: Serious Hole in Comment/Discussion CGI Script"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Well I tried the nullbyte/%00 trick and it was a no go. And no the script does
not parse out metacharacters

Vitaly McLain wrote:

> Hi,
>
> I am not too good with Perl, but I think I see potential for some
> exploitation here.
> You said you were able to open text-files because of...
>
> open(FILE, "commentdata/$article.txt");
>
> Does the script parse out any metacharachters from $article? If it does not,
> then it has major problems.
> The direct avenue of attack would be to try directory transversal, i.e
> trying to view a file like ../../../../../etc/passwd. Obviously this won't
> work, because there will be a .txt appended to passwd, and that is why you
> should try that "null trick" you mentioned. Append a %00 to the end, which
> should confuse Perl into only seeing the /etc/passwd part when opening the
> script (see Phrack #55 for more info.)
>
> Good luck.
>
> Vitaly McLain
> twistahdatasurge.net

• Next message: JRC - Techno Logic Consulting: "Re: more iis-unicode questions"
• Previous message: Chico: "internet explorer "update check""
• Next in thread: Joe: "Re: Serious Hole in Comment/Discussion CGI Script"
• Next in thread: Richard Bartlett: "FW: Serious Hole in Comment/Discussion CGI Script"
• Maybe reply: Barry Russell: "Re: Serious Hole in Comment/Discussion CGI Script"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]