hi, i have just installed the evaluation version of the last w3-msql release (2.0.11) with its new security mechanism. There is effectively this new option "Force_Suffix" in msql.conf that force msql server to take its documents inside its private root instead of server's one. The cgi is actually still vulnerable because of numerous lacks in sources (take a look at storeArgs() in w3-msql.c). It's possible with a buffer overflow attack to gain web server priviledge and modify remotly server content. test it: www.victim.com is the target site. http://www.victim.com/cgi-bin/w3-msql/AAAAAAAAA.......AAAAA with about a 200 chars length filename, the server response is "Internal Server Error" and the cgi produce a core file. With a carrefully forged string including code instructions, it's possible to force remote server to execute arbitrary code. i'm going to write an exploit. Have a nice day ------- Gregory Duchemin - gdnat_private Security Engineer NEUROCOM http://www.neurocom.com/ 179/181 avenue Charles de Gaulle 92200 Neuilly Sur Seine Tel: 01.41.43.84.84 Fax: 01.41.43.84.80
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:01:47 PDT