[15330] in bugtraq
CGI: Selena Sol's WebBanner ( Random Banner Generator )
daemon@ATHENA.MIT.EDU (Johannes Westerink)
Wed Jun 14 16:09:59 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <ILENKALMCAFBLHBGEOFKGEJCCAAA.jwesterink@jwesterink.daxis.nl>
Date: Tue, 13 Jun 2000 08:55:53 +0200
Reply-To: Johannes Westerink <jwesterink@JOHANNES2.DAXIS.NL>
From: Johannes Westerink <jwesterink@JOHANNES2.DAXIS.NL>
To: BUGTRAQ@SECURITYFOCUS.COM
Application Name: WebBanner (Random Banner Generator)
Application Authors: Eric Tachibana (Selena Sol) and Gunther Birznieks
Version: 4.0
Last Modified: 17NOV98
Site: http://www.extropia.com
Origin: Script design fault
Consequence: User can view files as user the server are running
Solution: See at the bottom at this page
Description:
~~~~~~~~~~~~~
At your browser, type simply:
>
http://yourdomain/random_banner/index.cgi?image_list=alternative_image.list&
html_file=../../../../../etc/passwd
should view passwd file as user nobody. ( if server is serving page as user
nobody ... )
I have try to execute a command with |, but it will not work always,
because
the script is running standard with -T option: #!/usr/bin/perl -T, you can
first
view the script code with above way, check if there is a -T option, if not,
you can execute any command as nobody user ( ....&html_file=|ls -la| )
Solution:
~~~~~~~~~~
A snippet of script index.cgi at line 195 without comments:
>---[ line 195 + ]-------------------------------------------------
open (HTML_FILE, "$html_file") ||
&CgiDie (" blablabla... ");
while (<HTML_FILE>)
{
if (/\<!--IMG GOES HERE--\>/)
{
print qq!
<A HREF = "$random_url">
<IMG SRC = "$image_url/$random_image"></A>!;
} else
print "$_";
}
}
close (HTML_FILE);
<------------------------------------------------------------------
above snippet is not save code, to make them safier:
Good code must be seems like this:
>---[ change above snippet to this snippet! ]----------------------
$html_file =~ s/\%([\d\w]{2})/pack('c',hex($1))/gie;
if( $html_file =~ /\.\.\/|\|/ )
{
&CgiDie( "Not allowed... " );
} else {
open (HTML_FILE, "$html_file") ||
&CgiDie ( "I'm sorry, but I was unable to open the requested
HTML file in the Insert Random Banner Into Page routine. The
value I have is $html_file. Would you please check the path and
the permissions for the file." );
while (<HTML_FILE>)
{
if (/\<!--IMG GOES HERE--\>/)
{
print qq!
<A HREF = "$random_url">
<IMG SRC = "$image_url/$random_image"></A>!;
} else
print "$_";
}
}
close (HTML_FILE);
}
<------------------------------------------------------------------
Then you can get alone a file on current directory or upper directory.
----------------------------------------------------------------------------
--------
-- Sorry for my bad english, and
--
-- ... am badhearing (nearly deaf), that's why
--
----------------------------------------------------------------------------
--------
Johannes Westerink
jwesterink@daxis.nl
