[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    lastlines.cgi path traversal and command execution vulns
From:       "BrainRawt ." <brainrawt () hotmail ! com>
Date:       2001-12-30 18:27:29
[Download RAW message or body]


Lastlines.cgi path traversal and command execution vulnerabilities
discovered by BrainRawt.

I wasn't planning on submitting this to bugtraq for its not a
widely used cgi but it is still available for download and some
people may be using it.

lastlines.cgi is a script coded by David Powell that allows
a user to view the contents of a logfile specified by the user.

# $unixdir="path/here";
# $error_log is input by the user of the script.

open(FILE, "$unix_dir/$error_log"

This script inproperly filters in the input allowing the traditional
"../../../../../" path traversal chars in return allowing the user
to leave the hard coded $unix_dir and view any file readable by
the webserver.

EX:../../../../../../etc/motd

This script is also missing a "<" in the open() function which
will allow us to execute any command on that remote server that the
webserver has permission to execute.

EX: path/to/error_log;command arg1|

Note: The author has been notified but hasnt replied.

_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com

[prev in list] [next in list] [prev in thread] [next in thread]