[17417] in bugtraq
Re: Minor bug in Pagelog.cgi
daemon@ATHENA.MIT.EDU (HT Regz)
Mon Oct 30 12:07:12 2000
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.10.10010300142260.23318-100000@localhost.localdomain>
Date: Mon, 30 Oct 2000 01:46:20 -0500
Reply-To: HT Regz <kickass@H3LL.2Y.NET>
From: HT Regz <kickass@H3LL.2Y.NET>
X-To: Mark Stratman <mstrat1@UIC.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.GSO.4.10.10010290510220.13352-100000@icarus.cc.uic.edu>
At this time this is just a theory, since i can't seem to find any sites
running pagelog.cgi to test it, or a copy of the code anywhere to take a
look at it. But, in theory, if you were to append a %20 to the address you
should be able to open any file it is capable of displaying.
example:
http://server/cgi-bin/pagelog.cgi?display=../../../../etc/passwd
this would attempt to open passwd.log as I understand the posting below,
but what if you were to enter something along the lines of
http://server/cgi-bin/pagelog.cgi?display=../../../../etc/passwd%20something
if this software proves to be like most other cgi programs with the
display options this would work. The same could also work for the creation
of a file, again i don't know the complete workings behind this program
and it might have counter measures to fight that..
Just thought I'd present this theory to you people, so that you could try
it for yourselves.
-------------------------------------
Tyler Reguly
System Admin/Webmaster h3ll.2y.net
Email: root@h3ll.2y.net
ICQ: 11854130
"Reach out and step into my H3ll"
-------------------------------------
On Sun, 29 Oct 2000, Mark Stratman wrote:
> There is a small bug in PAGELOG.cgi by Metertek (Metertek@yahoo.com) which
> allows users to create and view files.
>
> Any file on the system with a '.log' extension readable by the uid/gid of
> the webserver can be viewed. In addition, two files with extensions of
> '.txt' and '.log' can be created in any directory on the system that is
> writable by the web server.
> This bug lies in the failure of the script to check for directory
> traversal.
>
> Proofs of concept:
> Viewing '.log' file:
> Create a file 'a.log' in tmp.
> http://server/cgi-bin/pagelog.cgi?display=../../../../tmp/a
> This will let you view a.log
> Creating files:
> http://server/cgi-bin/pagelog.cgi?name=../../../../../tmp/blah
> This will create blah.txt and blah.log in /tmp/
>
>
> The script can be found at http://members.nbci.com/metertek/archive/
>
>
> cheers.
> Mark Stratman (count0)
> (mstrat1@uic.edu)
> http://sporkstorms.org
>
