Bugtraq mailing list archives
Re: CGI: Selena Sol's WebBanner ( Random Banner Generator ) Vulnerability
From: ron () GWMICRO COM (Ron Parker)
Date: Fri, 16 Jun 2000 15:00:44 -0500
At 08:55 AM 6/13/2000 +0200, Johannes Westerink wrote:
Application Name: WebBanner (Random Banner Generator) Application Authors: Eric Tachibana (Selena Sol) and Gunther Birznieks Version: 4.0 Last Modified: 17NOV98 Site: http://www.extropia.com
[...] There's code in the script that's supposed to stop this exploit. It'd probably be better to fix that instead, assuming it's actually broken. Did you actually test this exploit against a running installation, or is this advisory based solely on static analysis? ------- snippet from earlier in the WebBanner script ---------- # If they try to go outside the directory kill the program if ($form_data{'html_file'} =~ /\.\\?\./ || $form_data{'html_file'} !~ /\.htm.?$/i) { $form_data{'html_file'} = ""; exit(0); } ------- end snippet ---------
&CgiDie ( "I'm sorry, but I was unable to open the requested HTML file in the Insert Random Banner Into Page routine. The value I have is $html_file. Would you please check the path and the permissions for the file." );
This isn't safe, and it's also in the original WebBanner script. Note that CgiDie outputs the error message *to the user*. Imagine what happens when some black hat redirects their users to your script with suitable javascript in place of html_file (making sure to avoid the .. or .\. sequence of characters, and to end it with .htm.) See http://www.cert.org/advisories/CA-2000-02.html for more details on this common problem. Also note that this does not appear to be the only instance of this problem in the WebBanner script. -- Ron Parker GW Micro, Inc. Voice 219-489-3671 Fax 219-489-2608
Current thread:
- Re: CGI: Selena Sol's WebBanner ( Random Banner Generator ) Vulnerability Ron Parker (Jun 16)
- Re: CGI: Selena Sol's WebBanner ( Random Banner Generator ) Vulnerability Gunther Birznieks (Jun 20)