[23736] in bugtraq
Faqmanager.cgi file read vulnerability
daemon@ATHENA.MIT.EDU (Nu Omega Tau)
Mon Jan 7 15:15:13 2002
Date: 7 Jan 2002 06:30:05 -0800
Message-ID: <20020107143005.5254.cpmta@c016.snv.cp.net>
Content-Type: text/plain
Content-Disposition: inline
Mime-Version: 1.0
To: bugtraq@securityfocus.com
From: Nu Omega Tau <nu_omega_tau@altavista.com>
X-Sent-From: nu_omega_tau@altavista.com
Description (from official page): FAQmanager is one simple perl script that allow you to easily set up and maintain a FAQ (Frequently Asked Questions).
Vulnerability: Faqmanager can be used to read files on the server the httpd has access to. Example: faqmanager.cgi?toc=/etc/passwd%00 will show the system's /etc/passwd file. Exploitation with Windows systems wasn't tested.
Vendor notified: Yes, new version available:
http://www.fourteenminutes.com/code/faqmanager/FAQmanager_2.2.6.zip
Note: The new version seems to be semi-secure, it doesn't filter out the nullbyte, just the slash. Also doesn't it filter out dots. On some operating systems, I believe only BSD ones, bugs like these can be used to read directory listings. For example when entering a dot the current directory's listing can be viewed.
Also, the source to scripts in the current directory can still be viewed, nasty if you installed the script directly in your /cgi-bin directory and you got al your other scripts in there too.
A solution would be to replace the untaint routine in the script with this slightly modified one that filters out the nullbyte:
sub untaint
{
return "" if (!$_[0]);
my $taint = $_[0];
$taint =~ s/[\|\/]//g;
$taint =~ s/\0//gii;
$taint =~ /^[\<\+\>]*(.*)$/gi;
return $1; # _not_ return $taint
}
Nu
-----------
I just found the any key.
-----------
Find the best deals on the web at AltaVista Shopping!
http://www.shopping.altavista.com
