[20781] in bugtraq
directorypro.cgi , directory traversal
daemon@ATHENA.MIT.EDU (Marshal)
Mon May 28 14:55:09 2001
Message-ID: <1391126D.1FAEDF03@marshal-soft.com>
Date: Tue, 27 May 1980 13:22:21 +0200
From: Marshal <marshal@marshal-soft.com>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
cgi-script directorypro.cgi is vulnerable to a directory traversal.
http://target/cgi-bin/directorypro.cgi?want=showcat&show=../../../..//etc/motd%00
I didn't looked at the source of the script but it is probably a script
wat normally puts an extension to the requested file.
But bij putting the %00 (NULL) character at the end of your request you
can
bypass this. The extension will be appended but the string is read till
a
NULL character is found, so before the extension.
Didn't find any report of this bug on securityfocus and google.
And didn't inform vendor because i don't know who it is =)
Greetings
marshal (la~onda)
--
[ url : http://www.startplaza.nu | security news & links ]
[ url : http://www.heknet.com | security news & exploits ]
