RE: new advisory

From: sjat_private
Date: Mon Feb 04 2002 - 03:05:47 PST

Next message: Tamer Sahin: "Mrtg Path Disclosure Vulnerability"

Previous message: Rodent of Unusual Size: "Re: autoresponder program could be tricked by spamers to send unsolicitedmail to victim's address (fwd)"
Maybe in reply to: UkR-XblP?: "new advisory"
Next in thread: Andrew Simmons: "Re: new advisory"
Reply: Andrew Simmons: "Re: new advisory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I think some filtering after the line '$q = new CGI;' would help a little

Eg.

my $SECMSG = 'Pliz dont hekk us\n";

if(!defined $q->param('cfg')){ die "missing cfg file\n"; }
my $xx = $q->param('cfg');

if($xx =~ /\.\.|\/\/|\.\//){ die $SECMSG; }
if($xx =~ tr/a-zA-Z0-9_\-//dc){ die $SECMSG; }

you could also check the ownership of $cfgfile and deny opening
root (and maybe other) owned files.

>>Exploit :
>>
>>http://www.target.com/cgi-bin/14all.cgi?cfg=../../../../../../../../etc/passwd
>>http://www.target.com/cgi-bin/14all-1.1.cgi?cfg=../../../../../../../../etc/passwd
>>http://www.target.com/cgi-bin/traffic.cgi?cfg=../../../../../../../../etc/passwd
>>http://www.target.com/cgi-bin/mrtg.cgi?cfg=../../../../../../../../etc/passwd


SJ.

Next message: Tamer Sahin: "Mrtg Path Disclosure Vulnerability"
Previous message: Rodent of Unusual Size: "Re: autoresponder program could be tricked by spamers to send unsolicitedmail to victim's address (fwd)"
Maybe in reply to: UkR-XblP?: "new advisory"
Next in thread: Andrew Simmons: "Re: new advisory"
Reply: Andrew Simmons: "Re: new advisory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Feb 04 2002 - 08:29:35 PST