[15725] in bugtraq
Pollit CGI-script opens doors!
daemon@ATHENA.MIT.EDU (The Warlock)
Tue Jul 11 10:15:55 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <396AE2DC.AEC0FB83@yahoo.com>
Date: Tue, 11 Jul 2000 11:03:24 +0200
Reply-To: The Warlock <biohazardhq@YAHOO.COM>
From: The Warlock <biohazardhq@YAHOO.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Description: Bug in Poll_It_SSI_v2.0.cgi reveals info.
Compromise: Accessing files that arn't in the web-dir.
Vulnerable Systems: Pollit v2.0 (only tested version).
Details:
When you run the Pollit CGI script ALL your world readable files could
be accessed by any web user, for example your /etc/passwd file could be
opened to get valid usernames and maybe passwords.
How to exploit this bug?
Simply request
http://www.targethost.com/pollit/Poll_It_v2.0.cgi?data_dir=\etc\passwd%00
and the passwd file is presented in your browser.
Files that are world readable could be accessed.
Solution:
I'am not aware of any solution probably debuging or removeing the script
is the best solution.
BR,
Jan van de Rijt aka The Warlock.
--------------------------------------------------
visit The BioHazard HQ,
http://go.to/biohazardhq
Tools, RFC's, Rainbow-books, Virii and more.
--------------------------------------------------
