[17113] in bugtraq
Security Advisory : eXtropia WebStore (web_store.cgi) Directory
daemon@ATHENA.MIT.EDU (f0bic)
Mon Oct 9 14:50:33 2000
Content-Type: text/plain
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-Id: <00100903470700.03249@ninja>
Date: Mon, 9 Oct 2000 03:45:41 -0400
Reply-To: f0bic@deadprotocol.org
From: f0bic <f0bic@DEADPROTOCOL.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
[ October 9, 2000 ]
Security Advisory (web_store.cgi.ad-1.00-10) : eXtropia WebStore (web_store.cgi) Directory Traversal Vulnerability
Affected Product/Version:
* eXtropia WebStore (web_store.cgi/html_web_store.cgi)
Affected Platforms:
* Unix
* Windows
Overview:
The Web Store is a shopping cart product by eXtropia. This script merges Selena Sol's Electronic Outlet HTML
and Database shopping cart apps and adds all new routines for error handling, order processing, encrypted mailing,
frames, Javascript and VBscript.
Description:
The Web Store is made up of a variety of scripts, of which one is the main routine, web_store.cgi. The $page variable,
lets you display product/shopping html files. web_store.cgi checks for the file extension of the $page input, it has
to be ended by a .html extension. In other words, http://example.com/cgi-bin/Web_Store/web_store.cgi?page=page.html,
would open page.html in the browser. It checks for the .html extension like so:
sub error_check_form_data
{
foreach $file_extension (@acceptable_file_extensions_to_display)
{
if ($page =~ /$file_extension/ || $page eq "")
{
$valid_extension = "yes";
}
}
The open() call is displayed here:
sub display_page
{
local ($page, $routine, $file, $line) = @_;
# the subroutine begins by opening the requested file for
# reading, exiting with file_open_error if there is a
# problem as usual.
open (PAGE, "<$page") ||
&file_open_error("$page", "$routine", $file, $line);
Taking this information into account, if you would want to open the /etc/inetd.conf file, a request for
http://example.com/cgi-bin/Web_Store/web_store.cgi??page=../../../../../../../../etc/inetd.conf would fail since it
does not fullfill the $file_extension check. This problem can be bypassed by using a NULL (%00) character that by
perl is seen as a character, but by the underlaying language is interpreted as a \0 escape sequence character.
All the characters following the %00 will be ignored and so the file can be opened in the following manner:
http://example.com/cgi-bin/Web_store/web_store.cgi?page=../../../../../../../../etc/inetd.conf%00.html
This will result in opening the /etc/inetd.conf file. In this manner, arbitrary files could be read.
Solution:
By the use of regex you could add better input validation checking that prevents double dot strings from being passed
through the open() call.
Resources & References:
* eXtropia's Webpage: http://www.extropia.com
---------------------------------
by f0bic (f0bic@deadprotocol.org)
zSh - http://zsh.interniq.org
