Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Minor bug in Pagelog.cgi

From: HT Regz <kickass () H3LL 2Y NET>
Date: Mon, 30 Oct 2000 01:46:20 -0500
At this time this is just a theory, since i can't seem to find any sites
running pagelog.cgi to test it, or a copy of the code anywhere to take a
look at it. But, in theory, if you were to append a %20 to the address you
should be able to open any file it is capable of displaying.
example:
http://server/cgi-bin/pagelog.cgi?display=../../../../etc/passwd
this would attempt to open passwd.log as I understand the posting below,
but what if you were to enter something along the lines of
http://server/cgi-bin/pagelog.cgi?display=../../../../etc/passwd%20something
if this software proves to be like most other cgi programs with the
display options this would work. The same could also work for the creation
of a file, again i don't know the complete workings behind this program
and it might have counter measures to fight that..
Just thought I'd present this theory to you people, so that you could try
it for yourselves.


-------------------------------------
Tyler Reguly
System Admin/Webmaster h3ll.2y.net
Email: root () h3ll 2y net
ICQ: 11854130
"Reach out and step into my H3ll"
-------------------------------------


On Sun, 29 Oct 2000, Mark Stratman wrote:


There is a small bug in PAGELOG.cgi by Metertek (Metertek () yahoo com) which
allows users to create and view files.

Any file on the system with a '.log' extension readable by the uid/gid of
the webserver can be viewed. In addition, two files with extensions of
'.txt' and '.log' can be created in any directory on the system that is
writable by the web server.
This bug lies in the failure of the script to check for directory
traversal.

Proofs of concept:
Viewing '.log' file:
      Create a file 'a.log' in tmp.
      http://server/cgi-bin/pagelog.cgi?display=../../../../tmp/a
      This will let you view a.log
Creating files:
      http://server/cgi-bin/pagelog.cgi?name=../../../../../tmp/blah
      This will create blah.txt and blah.log in /tmp/


The script can be found at http://members.nbci.com/metertek/archive/


cheers.
Mark Stratman (count0)
(mstrat1 () uic edu)
http://sporkstorms.org
Previous By Date Next
Previous By Thread Next

Current thread: