lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060126153240.20936.qmail@securityfocus.com>
Date: 26 Jan 2006 15:32:40 -0000
From: spher3@...kerscenter.com
To: bugtraq@...urityfocus.com
Subject: [HSC] Multiple transversal bug in vis


Hackers Center Security Group (http://www.hackerscenter.com/) 
spher3's Security Advisory 

Multiple transversal bug in vis.pl 


-------------------------------------------------------------------------- 

Description: 

Vis.pl is a perl script which manages files in order to show these; 
you can find it in e-cms default files. The vulnerability taken in 
exam is classifiable as transversal bug. In fact can show to everybody 
files such as passwords or accounts. 

-------------------------------------------------------------------------- 

Code Details: 

Vis.pl doesn't control cgi query except for: 

[...] 

if ( -e $datFile ) 
{ 
open ( DAT_FILE, "$datFile" ); 

[...] 

This function controls only the file existence. 
Then the script start to open the file without check dangerous 
characters as "." and "/". 
So is simply to access where you want: 

http://[target]/cgi-bin/e-cms/vis/vis.pl?s=001&p=../../../../etc/passwd%00 

All variables that open files are unsafe: 

http://[target]/cgi-bin/e-cms/vis/vis.pl?s=../../../../etc/passwd%00 

-------------------------------------------------------------------------- 

How to fix: 

You can fix this script with remove those dangerouse characters as taught 
from W3C WWW Security FAQ. Just adding a line: 

$datFile = s/\.\.//g; 

You have to insert a line like this for ALL variables which contain files 
to open. 



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ