Bugtraq mailing list archives
Re: NSFOCUS SA2000-09 : AHG EZshopper Loadpage.cgi FileListDisclosure Vulnerability
From: Marshal <marshal () MARSHAL-SOFT COM>
Date: Tue, 19 Dec 2000 11:33:00 +0100
Hello, I made a error in my previous mail. I stated that all files ABOVE $root can be viewed, this is not true. I meant all dirs UNDER $root, so if you have $root=/home/marshal you can view all files under /home/marshal/* but can't go to /home/ or any other dir above /home/marshal. Ofcourse you get the user level of the httpd daemon so this is your restricting when trying to view files. the $root variable can be found in setcart.pl. The correct info can be found here: http://www.securiteam.com/unixfocus/AHG_EZshopper_loadpage_cgi_exposes_sensitive_file_and_directory_contents.html most of the time people who use AHG have $root=/ or $root=/home/pages/ which in the first case make it possible to view all the files on the system which are viewable with the user supplied by the http daemon. And the second one makes it possible to view all the webpages including the cgi-bin directory, so you can look at the code of scripts that are parsed at the server side because the loadpage.cgi scripts kept it from parsing. A better solutions from AHG would be to only let it view .html and .htm documents and to exclude .cgi or any other kind of file. Greetings Marshal. Marshal wrote:
I also contacted AHG about it a long time ago, it seems that they had an update. This update is still vuln, loadpage is possible to view any file above the specified $root= dir in the config file. but execution and viewing files with search is no longer possible. I contacted them about it, they did nothing. But yes, this advisory is old news. suid () SNEAKERZ ORG wrote:Uhh... guys i dont really mean to dis you but... It sometimes pays to research a bit before releasing advisories. Here is something i posted (to bugtraq no less) on the 28 of feb this year. k thx bye suid () suid kg - EZ Shopper 3.0 remote command execution.
<cut> -- Groeten, Marshal [ url : http://www.startplaza.nu | security news & links ] [ url : http://www.heknet.com | security news & exploits ]
Current thread:
- NSFOCUS SA2000-09 : AHG EZshopper Loadpage.cgi File List Disclosure Vulnerability Nsfocus Security Team (Dec 14)
- <Possible follow-ups>
- Re: NSFOCUS SA2000-09 : AHG EZshopper Loadpage.cgi File List Disclosure Vulnerability suid (Dec 16)
- Re: NSFOCUS SA2000-09 : AHG EZshopper Loadpage.cgi File ListDisclosure Vulnerability Marshal (Dec 18)
- Re: NSFOCUS SA2000-09 : AHG EZshopper Loadpage.cgi FileListDisclosure Vulnerability Marshal (Dec 20)
- Re: NSFOCUS SA2000-09 : AHG EZshopper Loadpage.cgi File ListDisclosure Vulnerability Marshal (Dec 18)