[24080] in bugtraq
RE: new advisory
daemon@ATHENA.MIT.EDU (sj@datanet.hu)
Mon Feb 4 12:03:14 2002
Date: Mon, 4 Feb 2002 12:05:47 +0100 (CET)
From: sj@datanet.hu
To: bugtraq@securityfocus.com
Message-ID: <Pine.LNX.4.44.0202041159210.6708-100000@thorium.datanet.hu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
I think some filtering after the line '$q = new CGI;' would help a little
Eg.
my $SECMSG = 'Pliz dont hekk us\n";
if(!defined $q->param('cfg')){ die "missing cfg file\n"; }
my $xx = $q->param('cfg');
if($xx =~ /\.\.|\/\/|\.\//){ die $SECMSG; }
if($xx =~ tr/a-zA-Z0-9_\-//dc){ die $SECMSG; }
you could also check the ownership of $cfgfile and deny opening
root (and maybe other) owned files.
>>Exploit :
>>
>>http://www.target.com/cgi-bin/14all.cgi?cfg=../../../../../../../../etc/passwd
>>http://www.target.com/cgi-bin/14all-1.1.cgi?cfg=../../../../../../../../etc/passwd
>>http://www.target.com/cgi-bin/traffic.cgi?cfg=../../../../../../../../etc/passwd
>>http://www.target.com/cgi-bin/mrtg.cgi?cfg=../../../../../../../../etc/passwd
SJ.
