Faqmanager.cgi file read vulnerability

[Nu Omega Tau <nu_omega_tau () altavista com>]

Description (from official page): FAQmanager is one simple perl script that allow you to easily set up and maintain a 
FAQ (Frequently Asked Questions).

Vulnerability: Faqmanager can be used to read files on the server the httpd has access to. Example: 
faqmanager.cgi?toc=/etc/passwd%00 will show the system's /etc/passwd file. Exploitation with Windows systems wasn't 
tested.

Vendor notified: Yes, new version available:
http://www.fourteenminutes.com/code/faqmanager/FAQmanager_2.2.6.zip

Note: The new version seems to be semi-secure, it doesn't filter out the nullbyte, just the slash. Also doesn't it 
filter out dots. On some operating systems, I believe only BSD ones, bugs like these can be used to read directory 
listings. For example when entering a dot the current directory's listing can be viewed.
Also, the source to scripts in the current directory can still be viewed, nasty if you installed the script directly in 
your /cgi-bin directory and you got al your other scripts in there too.
A solution would be to replace the untaint routine in the script with this slightly modified one that filters out the 
nullbyte:

sub untaint 
{ 
  return "" if (!$_[0]); 
 
  my $taint = $_[0]; 
 
  $taint =~ s/[\|\/]//g; 
  $taint =~ s/\0//gii; 
  $taint =~ /^[\<\+\>]*(.*)$/gi; 
  return $1;  # _not_ return $taint 
} 

Nu

-----------
I just found the any key.
-----------


Find the best deals on the web at AltaVista Shopping!
http://www.shopping.altavista.com