[11080] in bugtraq
improper chroot in dbmlparser.exe
daemon@ATHENA.MIT.EDU (robert qdial)
Tue Jul 20 17:44:53 1999
Message-Id: <19990717200953.151.qmail@securityfocus.com>
Date: Sat, 17 Jul 1999 20:09:53 -0000
Reply-To: robert qdial <qdial@PHUNC.COM>
From: robert qdial <qdial@PHUNC.COM>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Hi, this is my first posting to bugtraq, I found something
that needs to be addressed. While browsing some sites the
other night, I noticed a popular guestbook probgram,
dbmlparser.exe, I have seen this on a few nameless sites so
far, and im sure that there are more out there. anyways
heres my findings:
Some sites use dbmlparser.exe to handle there guestbooks,
or basic message boards, or the same type of stuff. The
problem here is that it calls for a file that holds the
guestbook or message board postings DBMLFILE=, this is
calling for DBMLFILE=genericpage.dbml&, then a bit more cgi
to regulate output after that. the problem is that it
doesnt chroot correctly, so in theory you can just insert
any file that you want read access to. Now this is where
this gets fun. Without it proporly chroot'ng, it will let
you read any file on the computer that you have read
permission to read. Now in theory, I havent tried this,
but you can modify the source on the html page with the the
forms on another site, redirect it to them, and respecifiy
the file you want to over write. very nasty, needs
addressing. I hope this information helps any sysadmins
out who are using this software.
