[23655] in bugtraq
lastlines.cgi path traversal and command execution vulns
daemon@ATHENA.MIT.EDU (BrainRawt .)
Sun Dec 30 20:41:51 2001
From: "BrainRawt ." <brainrawt@hotmail.com>
To: bugtraq@securityfocus.com
Date: Sun, 30 Dec 2001 18:27:29 +0000
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <F175rUVYKkpLTkUD5eu0000f573@hotmail.com>
Lastlines.cgi path traversal and command execution vulnerabilities
discovered by BrainRawt.
I wasn't planning on submitting this to bugtraq for its not a
widely used cgi but it is still available for download and some
people may be using it.
lastlines.cgi is a script coded by David Powell that allows
a user to view the contents of a logfile specified by the user.
# $unixdir="path/here";
# $error_log is input by the user of the script.
open(FILE, "$unix_dir/$error_log"
This script inproperly filters in the input allowing the traditional
"../../../../../" path traversal chars in return allowing the user
to leave the hard coded $unix_dir and view any file readable by
the webserver.
EX:../../../../../../etc/motd
This script is also missing a "<" in the open() function which
will allow us to execute any command on that remote server that the
webserver has permission to execute.
EX: path/to/error_log;command arg1|
Note: The author has been notified but hasnt replied.
_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail.
http://www.hotmail.com
