[15747] in bugtraq
Re: Pollit CGI-script opens doors!
daemon@ATHENA.MIT.EDU (Simple Nomad)
Wed Jul 12 13:47:41 2000
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.10.10007111308450.765-100000@blackhole.nmrc.org>
Date: Tue, 11 Jul 2000 13:21:13 -0500
Reply-To: Simple Nomad <thegnome@NMRC.ORG>
From: Simple Nomad <thegnome@NMRC.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Enip.BSO.23.0007111051001.25196-100000@www.whitehats.com>
It should be noted that the Poll_It_v2.0.cgi suffers from the same problem
as Poll_It_SSI_v2.0.cgi. The fix is similar, move line 77
(%in = &ReadForm;) to line 66. Poll_It_v2.0.cgi is in the same distro as
Poll_It_SSI_v2.0.cgi.
- Simple Nomad - No rest for the Wicca'd -
- thegnome@nmrc.org - www.nmrc.org -
- thegnome@razor.bindview.com - razor.bindview.com -
On Tue, 11 Jul 2000, Max Vision wrote:
> This was already reported to Bugtraq by Adrian Daminato on July 6th.
> http://www.securityfocus.com/bid/1431
>
> On Tue, 11 Jul 2000, The Warlock wrote:
> > Description: Bug in Poll_It_SSI_v2.0.cgi reveals info.
> > Compromise: Accessing files that arn't in the web-dir.
> > Vulnerable Systems: Pollit v2.0 (only tested version).
> > Details:
> > When you run the Pollit CGI script ALL your world readable files could
> > be accessed by any web user, for example your /etc/passwd file could be
> > opened to get valid usernames and maybe passwords.
> >
> > How to exploit this bug?
> > Simply request
> >
> > http://www.targethost.com/pollit/Poll_It_v2.0.cgi?data_dir=\etc\passwd%00
> >
> > and the passwd file is presented in your browser.
> >
> > Files that are world readable could be accessed.
> >
> > Solution:
> > I'am not aware of any solution probably debuging or removeing the script
> > is the best solution.
> >
> > BR,
> >
> > Jan van de Rijt aka The Warlock.
> >
> > --------------------------------------------------
> > visit The BioHazard HQ,
> > http://go.to/biohazardhq
> > Tools, RFC's, Rainbow-books, Virii and more.
> > --------------------------------------------------
> >
>
