[21485] in bugtraq
Interactive Story File Disclosure Vulnerability
daemon@ATHENA.MIT.EDU (qDefense Advisories)
Sun Jul 15 22:05:57 2001
Message-Id: <4.3.2.7.2.20010715184257.00b20100@compumodel.com>
Date: Sun, 15 Jul 2001 18:45:18 -0400
To: bugtraq@securityfocus.com
From: qDefense Advisories <advisories@qDefense.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"; format=flowed
Content-Transfer-Encoding: 8bit
Interactive Story File Disclosure Vulnerability
qDefense Advisory Number QDAV-2001-7-3
Product: Interactive Story
Vendor: Valerie Mates (http://www.valeriemates.com)
Severity: Remote; Attacker may read arbitrary file
Versions Affected: Version 1.3
Vendor Status: Vendor contacted; has released new version, 1.4, which is
not vulnerable
Cause: Failure to validate input
In Short: Interactive Story does not properly validate the contents of a
hidden field entitled "next". By setting that field to the name of a file,
and using double dots and poison nulls, an attacker can cause Interactive
Story to display the contents of any file.
The current version of this document is available at
http://qDefense.com/Advisories/QDAV-2001-7-3.html.
Details:
Interactive Story contains the following lines:
$nextfile = "$story_dir/$in{'next'}.txt";
...
elsif ((-e $nextfile) && ($in{'submit'} eq "")) {
...
while (<STORY>) {
print $_;
}
...
}
If an attacker sets the "next" field to something like
../../../../../../../../../../etc/passwd%00, Interactive Story will open
and display the password file. This technique can be used to display any
file that the web server has permission to read.
Solution:
Valerie Mates has released an upgrade, version 1.4, which strips special
characters from the "next" field.
© 2001 qDefense Information Security Consultants. qDefense is a subsidiary
of Computer Modeling Corp.
This document may be reproduced, in whole or in part, provided that no
modifications are made and that proper credit is given. Additionally, if it
is made available through hypertext, it must be accompanied by a link to
the qDefense web site, http://qdefense.com.
qDefense Advisories
advisories@qDefense.com
qDefense - DEFENDING THE ELECTRONIC FRONTIER
qDefense offers a wide variety of security services
See http://qDefense.com/Services
