[16756] in bugtraq

home help back first fref pref prev next nref lref last post

MultiHTML vulnerability

daemon@ATHENA.MIT.EDU (Niels Heinen)
Thu Sep 14 01:47:01 2000

Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id:  <39BFD7BA.6473087C@safemode.org>
Date:         Wed, 13 Sep 2000 21:38:34 +0200
Reply-To: Niels Heinen <niels@SAFEMODE.ORG>
From: Niels Heinen <niels@SAFEMODE.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM

Title :                     MultiHTML vulnerability.
Description :         Retrieve files from the server.
Vendor status :    Notified and a new (not much improved) script is
released.


Short description of the tool:
==============================

MultiHTML allows you to put an SSI call where you want the HTML file to
be displayed.
The SSI executes the MultiHTML program which displays whatever HTML file
you have it set to
display. The main reason i'm posting this is because of the fact that
this script is offerd
by many lets-expand-our-cgi-bins-to-make-us-look-good isp's.


The problems
============

The cgi script checks the extentions of the requested file to see if it
is ok. This easily can be
 tricked by using %00 ( Olaf Kirch )

http://localhost/cgi-bin/multihtml.pl?multi=/etc/passwd%00html

further their is no dcumentroot specified in the script so we do not
need to use the ../../ here
because their is access to every directory on the system in question
(lame). Even if their was a
documentroot and they would filter the dots then you would have to make
sure that the script does
not contain any higher directory's. Because the open(FILE, "$multi")
functions in the script makes
 it easy to bypass .htaccess files.


The solution:
=============

Be a man and learn how to use ssi without a script. Or beg someone to
write a new one ;)


Greets


zillion

home help back first fref pref prev next nref lref last post