[17188] in bugtraq
Anaconda Advisory
daemon@ATHENA.MIT.EDU (pestilence)
Fri Oct 13 14:07:46 2000
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="------------79CD1BE0C3701BCDE815D13C"
Message-Id: <39E63ACC.73A8251F@synnergy.net>
Date: Fri, 13 Oct 2000 01:27:24 +0300
Reply-To: pestilence <pestilence@SYNNERGY.NET>
From: pestilence <pestilence@SYNNERGY.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
--------------79CD1BE0C3701BCDE815D13C
Content-Type: text/plain; charset=iso-8859-7
Content-Transfer-Encoding: 7bit
Since this is a commercial program and i haven't received any ack, or
info from the vendors i shall publish the advisory.
Kostas Petrakis aka Pestilence
pestilence@synnergy.net
--------------79CD1BE0C3701BCDE815D13C
Content-Type: text/plain; charset=iso-8859-7;
name="SLA-17.Anaconda.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="SLA-17.Anaconda.txt"
Synnergy Laboratories Advisory SLA-2000-17
NAME
Anaconda Foundation Directory NULL byte vulnerability
AFFECTED
Linux/UNIX with Anaconda Foundation Directory
SYNOPSIS
Synnergy Labs has found a flaw within Anaconda Foundation Directory that allows a user to
successfully traverse the filesystem on a remote host, allowing arbitary files/folders to
be read.
DESCRIPTION
The Anaconda Foundation Directory is a Yahoo style search engine based on the Open Directory
project, www.dmoz.org. The Anaconda Foundation Directory allows you to dynamically integrate content into
your site's own look and feel. This is the exact same content that Lycos features on their
front page! Product pricing is $499 US.
Anaconda Foundation Directory can be found at:http://anacondapartners.com/ap_afodpdemo.shtml
Synnergy has recently discovered a flaw within Anaconda Foundation Directory that allows a remote
user to traverse the filesystem as a request to the script using the $template=_some_file_. It is
then possible to read any file contents with priviledges as the httpd.
Although the script checks for the file extension (.htm, .html, .shtml, .stm) adding a trailing
%00.html, (a NULL byte in URL encoded format), at the end of the request will force the script to
open the file.
Example:
http://www.target.com/cgi-bin/apexec.pl?etype=odp&template=../../../../../../../../../etc/resolv.conf%00.html&passurl=/category/
The above line if given will output the file contents of /etc/resolv.conf.
SOLUTION
The vendors have been informed of the bug. It is advised to wait for the next patched version of
Anaconda Foundation Directory to be released.
AUTHOR
Discovery: pestilence @ synnergy.net
DISCLAIMER
Synnergy Laboratories may not be held liable for the use or potential
effects of these programs or advisories, nor the content contained
within. Use them at your own risk.
COPYRIGHT
Synnergy Laboratories - www.synnergy.net (c) 1998-2000
--------------79CD1BE0C3701BCDE815D13C--
