OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Rain Forest Puppy (rfpvulnwatch.org)
Date: Tue Dec 25 2001 - 23:35:54 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    [[ RFP's note:

    I have verified this vulnerability in the current version on the site
    indicated below. The most severe problem would be that the
    "$input{'cat'}.dat" open in banner.cgi would allow an attacker to run
    commands (the 'cat' parameter is not double-checked/filtered in any way).
    The other CGIs are less severe because they (should) be kept out of access
    by the public, since they let you admin the whole banner system without
    any native auth. ]]

    ----------------------------------------------------------------------------

    PRODUCT
    *******

    AdStreamer
    http://www.sha-la-la.com/adstreamer/

    DESCRIPTION
    ***********

    This software have many an open call that can exploited with Perl tricks
    like ../, %00, |, etc.

    bash-2.05$ egrep 'open|system|exec|eval' *.cgi
    addbanner.cgi:# This script is apart of the Banner Manager system.
    It will add banners
    addbanner.cgi:open(HEADERFILE, "banner/$thebannercat.dat") || die("error
    opening the file $thebannercat.dat");
    addbanner.cgi:open(HEADERFILE, ">banner/$thebannercat.dat") || die("error
    opening the file $thebannercat.dat");
    addbanner.cgi: open(HEADERFILE, ">>banner/$logfile") || die("error opening
    the file $logfile");
    addbanner.cgi: open(HEADERFILE, ">banner/$logfile") || die("error opening
    the file $logfile");
    banner.cgi:# This script is apart of the Banner Manager system.
    It adds banner
    banner.cgi:open(HEADERFILE, "$input{'cat'}.dat") || die("error opening the
    file $input{'cat'}.dat");
    banner.cgi:open(HEADERFILE, ">$input{'cat'}.dat") || die("error opening the
    file $input{'cat'}.dat");
    banner.cgi: open(HEADERFILE, ">>$logfile") || die("error opening the
    file $logfile");
    banner.cgi: open(HEADERFILE, ">$logfile") || die("error opening the file
    $logfile");
    bannereditor.cgi:# This script is apart of the Banner Manager
    system. It preforms banner
    bannereditor.cgi:open(HEADERFILE, "titles.dat") || die("error opening the
    file titles.dat");
    bannereditor.cgi: open(HEADERFILE, "$input{'cat'}.dat") || die("error
    opening the file $input{'cat'}.dat");
    bannereditor.cgi: open(HEADERFILE, ">$input{'cat'}.dat") || die("error
    opening the file $input{'cat'}.dat");
    bannereditor.cgi: open(HEADERFILE, "$input{'cat'}.dat") || die("error
    opening the file $input{'cat'}.dat");
    bannereditor.cgi: open(HEADERFILE, "categories.dat") || die("error
    opening the file categories.dat");
    bannereditor.cgi: open(HEADERFILE, ">categories.dat") || die("error
    opening the file categories.dat");
    bannereditor.cgi: open(HEADERFILE, ">ref.dat") || die("error opening
    the file ref.dat");
    bannereditor.cgi: open(HEADERFILE, ">titles.dat") || die("error
    opening the file titles.dat");
    bannereditor.cgi: open(HEADERFILE, "categories.dat") || die("error
    opening the file categories.dat");
    bannereditor.cgi: open(HEADERFILE, "$cat.dat") || die("error
    opening the file $cat.dat");
    bannereditor.cgi: open(HEADERFILE, ">$cat.dat") || die("error
    opening the file $cat.dat");
    bannereditor.cgi: open(HEADERFILE, "categories.dat") || die("error
    opening the file categories.dat");
    bannereditor.cgi: open(HEADERFILE, "$cat.dat") || die("error
    opening the file $cat.dat");
    bannereditor.cgi: open(HEADERFILE, ">>ref.dat") || die("error opening
    the file ref.dat");
    bannereditor.cgi: open(HEADERFILE, ">>titles.dat") || die("error
    opening the file titles.dat");
    bannereditor.cgi: open(HEADERFILE, "categories.dat") || die("error
    opening the file categories.dat");
    bannereditor.cgi: open(HEADERFILE, "categories.dat") || die("error
    opening the file categories.dat");
    bannereditor.cgi: open(HEADERFILE, "$cat.dat") ||
    die("error opening the file $cat.dat");
    bannereditor.cgi: open(HEADERFILE, ">>$cat.dat") ||
    die("error opening the file $cat.dat");
    bannereditor.cgi: open(HEADERFILE, ">$input{'newcat'}.dat") ||
    die("error opening the file $input{'newcat'}.dat");
    bannereditor.cgi: open(HEADERFILE, ">>categories.dat") || die("error
    opening the file categories.dat");
    bannereditor.cgi: open(HEADERFILE, "categories.dat") || die("error
    opening the file categories.dat");
    bannereditor.cgi: open(HEADERFILE, "$cat.dat") || die("error
    opening the file $cat.dat");
    bannereditor.cgi: open(HEADERFILE, "categories.dat") || die("error
    opening the file categories.dat");
    bannereditor.cgi: open(HEADERFILE, "ref.dat") || die("error opening
    the file ref.dat");
    jump.cgi:# This script is apart of the Banner Manager system.
    It recieves every
    jump.cgi:open(HEADERFILE, "ref.dat") || die("error opening the file
    ref.dat");
    jump.cgi: open(HEADERFILE, ">>$logfile") || die("error opening
    the file $logfile");
    jump.cgi: open(HEADERFILE, ">$logfile") || die("error opening
    the file $logfile");
    report2.cgi:# This script is apart of the Banner Manager system.
    It generates reports
    report2.cgi:open(HEADERFILE, "titles.dat") || die("error opening the file
    titles.dat");
    report2.cgi:opendir(LOGDIR, ".") || die("error");
    report2.cgi: open(HEADERFILE, "$file.log") || die("error opening the file
    $file.log");
    report2.cgi:opendir(LOGDIR, ".") || die("error");
    report2.cgi: open(HEADERFILE, "$file.log") || die("error opening the file
    $file.log");
    report2.cgi:opendir(LOGDIR, ".") || die("error");
    report2.cgi: open(HEADERFILE, "$file.log") || die("error opening the file
    $file.log");
    report2.cgi:open(HEADERFILE, "categories.dat") || die("error opening the
    file categories.dat");
    report2.cgi:opendir(LOGDIR, ".") || die("error");
    report2.cgi:open(HEADERFILE, "categories.dat") || die("error opening the
    file categories.dat");
    report2.cgi:open(HEADERFILE, "$input{'log'}") || die("error opening the file
    $input{'log'}");
    report2.cgi:open(HEADERFILE, "$input{'log'}") || die("error opening the file
    $input{'log'}");
    report2.cgi:open(HEADERFILE, "$input{'log'}") || die("error opening the file
    $input{'log'}");
    report2.cgi:opendir(LOGDIR, ".") || die("error");
    report2.cgi:open(HEADERFILE, "categories.dat") || die("error opening the
    file categories.dat");

    VENDOR NOTIFICATION
    *******************

    Vendor is informed now with public. Not to worry, since malicious people
    don't read Bugtraq.

    GOBBLES LABS
    GOBBLEShushmail.com
    http://www.bugtraq.org/