Bugtraq mailing list archives
RE: new advisory
From: sj () datanet hu
Date: Mon, 4 Feb 2002 12:05:47 +0100 (CET)
I think some filtering after the line '$q = new CGI;' would help a little Eg. my $SECMSG = 'Pliz dont hekk us\n"; if(!defined $q->param('cfg')){ die "missing cfg file\n"; } my $xx = $q->param('cfg'); if($xx =~ /\.\.|\/\/|\.\//){ die $SECMSG; } if($xx =~ tr/a-zA-Z0-9_\-//dc){ die $SECMSG; } you could also check the ownership of $cfgfile and deny opening root (and maybe other) owned files.
Exploit : http://www.target.com/cgi-bin/14all.cgi?cfg=../../../../../../../../etc/passwd http://www.target.com/cgi-bin/14all-1.1.cgi?cfg=../../../../../../../../etc/passwd http://www.target.com/cgi-bin/traffic.cgi?cfg=../../../../../../../../etc/passwd http://www.target.com/cgi-bin/mrtg.cgi?cfg=../../../../../../../../etc/passwd
SJ.
Current thread:
- new advisory UkR-XblP? (Feb 02)
- <Possible follow-ups>
- RE: new advisory sj (Feb 04)
- Re: new advisory Andrew Simmons (Feb 06)