GOBBLES CGI MARATHON #003

From: bugtraq (bugtraqat_private)
Date: Tue Dec 25 2001 - 17:29:03 PST

  • Next message: Stephen Cope: "Re: IE https certificate attack" 

    PRODUCT
******* 

AdStreamer
http://www.sha-la-la.com/adstreamer/ 

DESCRIPTION
*********** 

This software have many an open call that can exploited with Perl tricks
like ../, %00, |, etc. 

bash-2.05$ egrep 'open|system|exec|eval' *.cgi
addbanner.cgi:#         This script is apart of the Banner Manager system.
It will add banners
addbanner.cgi:open(HEADERFILE, "banner/$thebannercat.dat") || die("error
opening the file $thebannercat.dat");
addbanner.cgi:open(HEADERFILE, ">banner/$thebannercat.dat") || die("error
opening the file $thebannercat.dat");
addbanner.cgi:  open(HEADERFILE, ">>banner/$logfile") || die("error opening
the file $logfile");
addbanner.cgi:  open(HEADERFILE, ">banner/$logfile") || die("error opening
the file $logfile");
banner.cgi:#            This script is apart of the Banner Manager system.
It adds banner
banner.cgi:open(HEADERFILE, "$input{'cat'}.dat") || die("error opening the
file $input{'cat'}.dat");
banner.cgi:open(HEADERFILE, ">$input{'cat'}.dat") || die("error opening the
file $input{'cat'}.dat");
banner.cgi:     open(HEADERFILE, ">>$logfile") || die("error opening the
file $logfile");
banner.cgi:     open(HEADERFILE, ">$logfile") || die("error opening the file
$logfile");
bannereditor.cgi:#              This script is apart of the Banner Manager
system.  It preforms banner
bannereditor.cgi:open(HEADERFILE, "titles.dat") || die("error opening the
file titles.dat");
bannereditor.cgi:       open(HEADERFILE, "$input{'cat'}.dat") || die("error
opening the file $input{'cat'}.dat");
bannereditor.cgi:       open(HEADERFILE, ">$input{'cat'}.dat") || die("error
opening the file $input{'cat'}.dat");
bannereditor.cgi:       open(HEADERFILE, "$input{'cat'}.dat") || die("error
opening the file $input{'cat'}.dat");
bannereditor.cgi:       open(HEADERFILE, "categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi:       open(HEADERFILE, ">categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi:       open(HEADERFILE, ">ref.dat") || die("error opening
the file ref.dat");
bannereditor.cgi:       open(HEADERFILE, ">titles.dat") || die("error
opening the file titles.dat");
bannereditor.cgi:       open(HEADERFILE, "categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi:               open(HEADERFILE, "$cat.dat") || die("error
opening the file $cat.dat");
bannereditor.cgi:               open(HEADERFILE, ">$cat.dat") || die("error
opening the file $cat.dat");
bannereditor.cgi:       open(HEADERFILE, "categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi:               open(HEADERFILE, "$cat.dat") || die("error
opening the file $cat.dat");
bannereditor.cgi:       open(HEADERFILE, ">>ref.dat") || die("error opening
the file ref.dat");
bannereditor.cgi:       open(HEADERFILE, ">>titles.dat") || die("error
opening the file titles.dat");
bannereditor.cgi:       open(HEADERFILE, "categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi:       open(HEADERFILE, "categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi:                       open(HEADERFILE, "$cat.dat") ||
die("error opening the file $cat.dat");
bannereditor.cgi:                       open(HEADERFILE, ">>$cat.dat") ||
die("error opening the file $cat.dat");
bannereditor.cgi:       open(HEADERFILE, ">$input{'newcat'}.dat") ||
die("error opening the file $input{'newcat'}.dat");
bannereditor.cgi:       open(HEADERFILE, ">>categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi:       open(HEADERFILE, "categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi:               open(HEADERFILE, "$cat.dat") || die("error
opening the file $cat.dat");
bannereditor.cgi:       open(HEADERFILE, "categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi:       open(HEADERFILE, "ref.dat") || die("error opening
the file ref.dat");
jump.cgi:#              This script is apart of the Banner Manager system.
It recieves every
jump.cgi:open(HEADERFILE, "ref.dat") || die("error opening the file
ref.dat");
jump.cgi:               open(HEADERFILE, ">>$logfile") || die("error opening
the file $logfile");
jump.cgi:               open(HEADERFILE, ">$logfile") || die("error opening
the file $logfile");
report2.cgi:#           This script is apart of the Banner Manager system.
It generates reports
report2.cgi:open(HEADERFILE, "titles.dat") || die("error opening the file
titles.dat");
report2.cgi:opendir(LOGDIR, ".") || die("error");
report2.cgi:    open(HEADERFILE, "$file.log") || die("error opening the file
$file.log");
report2.cgi:opendir(LOGDIR, ".") || die("error");
report2.cgi:    open(HEADERFILE, "$file.log") || die("error opening the file
$file.log");
report2.cgi:opendir(LOGDIR, ".") || die("error");
report2.cgi:    open(HEADERFILE, "$file.log") || die("error opening the file
$file.log");
report2.cgi:open(HEADERFILE, "categories.dat") || die("error opening the
file categories.dat");
report2.cgi:opendir(LOGDIR, ".") || die("error");
report2.cgi:open(HEADERFILE, "categories.dat") || die("error opening the
file categories.dat");
report2.cgi:open(HEADERFILE, "$input{'log'}") || die("error opening the file
$input{'log'}");
report2.cgi:open(HEADERFILE, "$input{'log'}") || die("error opening the file
$input{'log'}");
report2.cgi:open(HEADERFILE, "$input{'log'}") || die("error opening the file
$input{'log'}");
report2.cgi:opendir(LOGDIR, ".") || die("error");
report2.cgi:open(HEADERFILE, "categories.dat") || die("error opening the
file categories.dat"); 

VENDOR NOTIFICATION
******************* 

Vendor is informed now with public. Not to worry, since malicious people
don't read Bugtraq. 


GOBBLES LABS
GOBBLESat_private
http://www.bugtraq.org/

    This archive was generated by hypermail 2b30 : Tue Dec 25 2001 - 19:27:15 PST