|
HSC Research Group -
Advisories
|
|
Written by Hackers Center
|
|
Thursday, 26 January 2006 15:16 |
 Hackers Center Security Group (http://www.hackerscenter.com/)
spher3"s Security Advisory
Multiple transversal bug in vis.pl
--------------------------------------------------------------------------
Description:
Vis.pl is a perl script which manages files in order to show these;
you can find it in e-cms default files. The vulnerability taken in
exam is classifiable as transversal bug. In fact can show to everybody
files such as passwords or accounts.
--------------------------------------------------------------------------
Code Details:
Vis.pl doesn"t control cgi query except for:
[...]
if ( -e $datFile )
{
open ( DAT_FILE, "$datFile" );
[...]
This function controls only the file existence.
Then the script start to open the file without check dangerous
characters
as "." and "/". So is simply to access where you want:
http://[target]/cgi-bin/e-cms/vis/vis.pl?s=001&p=../../../../../../../etc/
passwd%00
All variables that open files are unsafe:
http://[target]/cgi-bin/e-cms/vis/vis.pl?s=../../../../../../../etc/passwd
%00
--------------------------------------------------------------------------
How to fix:
You can fix this script with remove those dangerouse characters as taught
from W3C
WWW Security FAQ. Just adding a line:
$datFile = s/..//g;
You have to insert a line like this for ALL variables which contain files
to open.
-- HSC Security Group
Get your site audited for free and pay only if we find it vulnerable!
www.securityforge.com
Security researcher? http://www.hackerscenter.com/security
|
