[15730] in bugtraq
Re: Pollit CGI-script opens doors!
daemon@ATHENA.MIT.EDU (Max Vision)
Tue Jul 11 13:33:11 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Enip.BSO.23.0007111051001.25196-100000@www.whitehats.com>
Date: Tue, 11 Jul 2000 11:01:57 -0700
Reply-To: Max Vision <vision@WHITEHATS.COM>
From: Max Vision <vision@WHITEHATS.COM>
X-To: The Warlock <biohazardhq@YAHOO.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <396AE2DC.AEC0FB83@yahoo.com>
This was already reported to Bugtraq by Adrian Daminato on July 6th.
http://www.securityfocus.com/bid/1431
On Tue, 11 Jul 2000, The Warlock wrote:
> Description: Bug in Poll_It_SSI_v2.0.cgi reveals info.
> Compromise: Accessing files that arn't in the web-dir.
> Vulnerable Systems: Pollit v2.0 (only tested version).
> Details:
> When you run the Pollit CGI script ALL your world readable files could
> be accessed by any web user, for example your /etc/passwd file could be
> opened to get valid usernames and maybe passwords.
>
> How to exploit this bug?
> Simply request
>
> http://www.targethost.com/pollit/Poll_It_v2.0.cgi?data_dir=\etc\passwd%00
>
> and the passwd file is presented in your browser.
>
> Files that are world readable could be accessed.
>
> Solution:
> I'am not aware of any solution probably debuging or removeing the script
> is the best solution.
>
> BR,
>
> Jan van de Rijt aka The Warlock.
>
> --------------------------------------------------
> visit The BioHazard HQ,
> http://go.to/biohazardhq
> Tools, RFC's, Rainbow-books, Virii and more.
> --------------------------------------------------
>
