[11730] in bugtraq
buggy msql again (v2.0.11)
daemon@ATHENA.MIT.EDU (gregory duchemin)
Wed Sep 8 03:22:52 1999
Message-Id: <19990903160225.23393.qmail@securityfocus.com>
Date: Fri, 3 Sep 1999 16:02:25 -0000
Reply-To: gregory duchemin <gdn@NEUROCOM.COM>
From: gregory duchemin <gdn@NEUROCOM.COM>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
hi,
i have just installed the evaluation version of the last
w3-msql release (2.0.11) with its new security mechanism.
There is effectively this new option "Force_Suffix" in
msql.conf that force msql server to take its documents
inside its private root instead of server's one.
The cgi is actually still vulnerable because of numerous
lacks in sources (take a look at storeArgs() in w3-msql.c).
It's possible with a buffer overflow attack to gain web
server priviledge and modify remotly server content.
test it:
www.victim.com is the target site.
http://www.victim.com/cgi-bin/w3-msql/AAAAAAAAA.......AAAAA
with about a 200 chars length filename, the server response
is "Internal Server Error" and the cgi produce a core file.
With a carrefully forged string including code instructions,
it's possible to force remote server to execute arbitrary
code.
i'm going to write an exploit.
Have a nice day
-------
Gregory Duchemin - gdn@neurocom.com
Security Engineer
NEUROCOM http://www.neurocom.com/
179/181 avenue Charles de Gaulle 92200 Neuilly Sur Seine
Tel: 01.41.43.84.84 Fax: 01.41.43.84.80
