Hackers Center Security Group (http://www.hackerscenter.com/)
spher3's Security Advisory
Multiple transversal bug in vis.pl
------------------------------------------------------------------------
--
Description:
Vis.pl is a perl script which manages files in order to show these;
you can find it in e-cms default files. The vulnerability taken in
exam is classifiable as transversal bug. In fact can show to everybody
files such as passwords or accounts.
------------------------------------------------------------------------
--
Code Details:
Vis.pl doesn't control cgi query except for:
[...]
if ( -e $datFile )
{
open ( DAT_FILE, "$datFile" );
[...]
This function controls only the file existence.
Then the script start to open the file without check dangerous
characters as "." and "/".
So is simply to access where you want:
http://[target]/cgi-bin/e-cms/vis/vis.pl?s=001&p=../../../../etc/passwd%
00
All variables that open files are unsafe:
http://[target]/cgi-bin/e-cms/vis/vis.pl?s=../../../../etc/passwd%00
------------------------------------------------------------------------
--
How to fix:
You can fix this script with remove those dangerouse characters as taught
from W3C WWW Security FAQ. Just adding a line:
$datFile = s/..//g;
You have to insert a line like this for ALL variables which contain files
to open.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum