twistahDATASURGE.NET

• Next message: Ryan Yagatich: "Summary of IIS 4.0/5.0 Unicode thread (end of thread?)"
• Previous message: Erik Tayler: "Re: more iis-unicode questions"
• In reply to: Barry Russell: "Serious Hole in Comment/Discussion CGI Script"
• Next in thread: Barry Russell: "Re: Serious Hole in Comment/Discussion CGI Script"
• Reply: Vitaly McLain: "Re: Serious Hole in Comment/Discussion CGI Script"
• Reply: Joe: "Re: Serious Hole in Comment/Discussion CGI Script"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

I am not too good with Perl, but I think I see potential for some
exploitation here.
You said you were able to open text-files because of...

open(FILE, "commentdata/$article.txt");

Does the script parse out any metacharachters from $article? If it does not,
then it has major problems.
The direct avenue of attack would be to try directory transversal, i.e
trying to view a file like ../../../../../etc/passwd. Obviously this won't
work, because there will be a .txt appended to passwd, and that is why you
should try that "null trick" you mentioned. Append a %00 to the end, which
should confuse Perl into only seeing the /etc/passwd part when opening the
script (see Phrack #55 for more info.)

Good luck.

Vitaly McLain
twistahdatasurge.net

• Next message: Ryan Yagatich: "Summary of IIS 4.0/5.0 Unicode thread (end of thread?)"
• Previous message: Erik Tayler: "Re: more iis-unicode questions"
• In reply to: Barry Russell: "Serious Hole in Comment/Discussion CGI Script"
• Next in thread: Barry Russell: "Re: Serious Hole in Comment/Discussion CGI Script"
• Reply: Vitaly McLain: "Re: Serious Hole in Comment/Discussion CGI Script"
• Reply: Joe: "Re: Serious Hole in Comment/Discussion CGI Script"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]