Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Vulnerability in viewsrc.cgi

From: joetesta () hushmail com
Date: Wed, 23 May 2001 12:45:37 -0800 (PDT)
----- Begin Hush Signed Message from joetesta () hushmail com -----

Vulnerability in viewsrc.cgi



    Overview

viewsrc.cgi v2.0 is a source-code viewing CGI script available from
http://www.mimanet.com/scripts.  A vulnerability exists which
allows a remote user to view any file on the server.



    Details

The following URL demonstrates the problem:

    http://localhost/cgi-bin/viewsrc.cgi?
                         loc=../[any file outside restricted directory]



    Solution

Apply the following patch to viewsrc.cgi:

53a54,56

$FORM{'loc'} =~ s/\.\.//g;
$FORM{'loc'} =~ s/\\//g;
$FORM{'loc'} =~ s/\///g;

65c68
<          open (INHTML, "$predo") or die &err_loc;
---

         open (INHTML, "<$predo") or die &err_loc;


This patch removes any '..', '/', or '\'s present in the $FORM{'loc'}
variable.  It also makes the open() command safer by using the '<'
read-only specifier.



    Vendor Status

MIMAnet was contacted via <webmaster () mimanet com> on
Tuesday, May 1, 2001.  Roberto R. Morelli <morelli () altair7 com>
quickly replied and stated that the problem was verified and an
official fix would be released.  Twenty two days have passed, and nothing
has been done.




    - Joe Testa

e-mail:   joetesta () hushmail com
web page: http://hogs.rit.edu/~joet
AIM:      LordSpankatron


----- Begin Hush Signature v1.3 -----
DOrv4aKzsw/oqP1AX/hJLu6OSDg66o3htrFq10+HrfqZKQSij4O7yk37xInPmtf5jNmw
G8UkEk5iwQVbI51+zG02T5KOB7YIdPTf6doAc2Inrxlhle1lkFX/56v3rVdb5uAkQk2F
/4a6mDilaqcY+lwYkjyT1Yk0Wmz1dcwTF8Bp/wF6y7JaQ1F2EB4q/tgnSK8Q82T+ZlN7
csLmfX2BSub2gzldV8jI7swh4Qfog+V0ZFx0SB4Q5MiRdcQgcLxc2xf+ho2uNzd/sq93
QTW76yFXLiYlJOTmiLP8cgrB5Px9eu4Qstcf/JIiTPbosZSZq10H4svE/4NbLw5cvVoW
e3OwbvzqZZVmQKzuW+xUgd9PJe7vObdo8Z4+cyLQNB1LOp15Fj0I0XHLk9TrDCcGv2cv
FKu6LWn6Fmm0QbumoHXWZnOUP9pAA6MU2xv+EB2JD0hfweLYSNjQ1V4p/qEmYxrq3fFN
Ldl5hjo+WxcV1l8vj15oG/KDqJA5m1PDA09sFVTKcfEt
----- End Hush Signature v1.3 -----


This message has been signed with a Hush Digital Signature. 
To verify the signature, please go to www.hush.com/tools


Free, encrypted, secure Web-based email at www.hushmail.com
Previous By Date Next
Previous By Thread Next

Current thread: