Bugtraq mailing list archives
W3.ORG sendtemp.pl
From: Tom Parker <tom () ROOTED NET>
Date: Tue, 13 Feb 2001 01:47:08 -0000
Follows are details of a vunerability I recently discovered in W3.ORGS sendtemp.pl. Name: sendtemp.pl (W3C). Remote: Yes Local: Yes Type: sendtemp.pl: A part of the Amaya Web development server contains a file disclosure vulnerability, which allows remote, read access to files on the servers file system, as whichever UID the httpd is running as. The Vulnerability is really quite simple.. When the `templ` argument is past to sendtemp.pl it adds a link to the chosen stylesheet and a META field containing the publication's URL of the new file to the chosen template. For example: http://localhost/cgi-bin/sendtemp.pl?templ=template.xml This is all well and good, however.. There is no sanity checking on the param you pass to the script.. ie: my $temp_file = param("templ"); So by simply issuing a GET to (for example): "http://localhost/cgi-bin/sendtemp.pl?templ=../../etc/passwd" The systems file system can be traversed and the passwd file can be read. (Assuming the http daemon hasn't been run under chroot()) The below URL contains a simple exploit, although its just as easy to use your browser. http://www.rooted.net/code/sendtemp-exp.pl Note that W3.org are aware of this problem as of 12/01/01. Tom Parker - tom () rooted net MRX of HHP-Programming (www.hhp-programming.net) Global InterSec INC California - Security Audits, Penetration Testing, Code Auditing.
Current thread:
- W3.ORG sendtemp.pl Tom Parker (Feb 13)