[32743] in bugtraq
BNCweb File Disclosure Vulnerability
daemon@ATHENA.MIT.EDU (Matthias Bethke)
Tue Dec 9 12:41:29 2003
Date: 9 Dec 2003 04:29:49 -0000
Message-ID: <20031209042949.10957.qmail@sf-www2-symnsj.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Matthias Bethke <matthias.bethke@gmx.net>
To: bugtraq@securityfocus.com
BNCweb is a set of CGI scripts developed at the University of Zürich as a user-friendly query interface to the British National Corpus. It allows linguists to retrieve lexical, grammatical and textual data from this 100 million word collection of english texts using a web browser. For more information see http://homepage.mac.com/bncweb/home.html
BNCweb has been found prone to a file dicsclosure vulnerability that allows attackers to read any file accessible to the CGI user (typically "wwwrun") anywhere in the server's file systems by supplying a trivially manipulated URL to the query script. This includes web web server and system password files, opening the door for further compromises. However, exploitation requires access to the script itself, which in a correctly installed system is protected by the web server's access control mechanism, thus only registered users are able to carry out an attack.
The reason for this vulnerability is a piece of obsolete code left over from a development version. As a quick fix, the author suggests removing lines 23 to 25 in the BNCquery.pl script. This has no effect on the script's normal functionality.
