OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: FW: Serious Hole in Comment/Discussion CGI Script
From: Richard Bartlett (richard_bartlettSW2000.COM)
Date: Fri Oct 27 2000 - 06:24:42 CDT

-----Original Message-----
From: VULN-DEV List [mailto:VULN-DEVSECURITYFOCUS.COM]On Behalf Of
Barry Russell
Sent: 27 October 2000 01:11
To: VULN-DEVSECURITYFOCUS.COM
Subject: Re: Serious Hole in Comment/Discussion CGI Script

Well I tried the nullbyte/%00 trick and it was a no go. And no the script
does
not parse out metacharacters

Vitaly McLain wrote:

> Hi,
>
> I am not too good with Perl, but I think I see potential for some
> exploitation here.
> You said you were able to open text-files because of...
>
> open(FILE, "commentdata/$article.txt");
>
> Does the script parse out any metacharachters from $article? If it does
not,
> then it has major problems.
> The direct avenue of attack would be to try directory transversal, i.e
> trying to view a file like ../../../../../etc/passwd. Obviously this won't
> work, because there will be a .txt appended to passwd, and that is why you
> should try that "null trick" you mentioned. Append a %00 to the end, which
> should confuse Perl into only seeing the /etc/passwd part when opening the
> script (see Phrack #55 for more info.)
>
> Good luck.
>
> Vitaly McLain
> twistahdatasurge.net