[15731] in bugtraq
Re: Pollit CGI-script opens doors!
daemon@ATHENA.MIT.EDU (jerry)
Tue Jul 11 13:35:27 2000
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-ID: <002001bfeb51$e0705600$dc084cd5@AdamHaertle>
Date: Tue, 11 Jul 2000 18:05:40 +0200
Reply-To: jerry <jerry@PABIS.NET.PL>
From: jerry <jerry@PABIS.NET.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
----- Original Message -----
From: The Warlock <biohazardhq@YAHOO.COM>
To: <BUGTRAQ@SECURITYFOCUS.COM>
Sent: Tuesday, July 11, 2000 11:03 AM
Subject: Pollit CGI-script opens doors!
> Description: Bug in Poll_It_SSI_v2.0.cgi reveals info.
> Compromise: Accessing files that arn't in the web-dir.
> Vulnerable Systems: Pollit v2.0 (only tested version).
> Details:
> When you run the Pollit CGI script ALL your world readable files could
> be accessed by any web user, for example your /etc/passwd file could be
> opened to get valid usernames and maybe passwords.
>
> How to exploit this bug?
> Simply request
>
> http://www.targethost.com/pollit/Poll_It_v2.0.cgi?data_dir=\etc\passwd%00
>
> and the passwd file is presented in your browser.
>
> Files that are world readable could be accessed.
>
> Solution:
> I'am not aware of any solution probably debuging or removeing the script
> is the best solution.
the solution was given on 07.06 when Adrian Daminato was reporting this bug
to Bugtraq
