[UNIX] DPGS Allows Any File to Be Overwritten
From: support@securiteam.comDate: 06/23/02
- Previous message: support@securiteam.com: "[NT] AdvServer Denial of Service Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Sun, 23 Jun 2002 21:25:52 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
DPGS Allows Any File to Be Overwritten
------------------------------------------------------------------------
SUMMARY
<http://lobsanov.com/ilia/DPGS/> DPGS is a free and open-source tool for
enhancing virtual communities, discussion groups and message boards with
dynamically generated photographic member profiles. A security
vulnerability in the product allows overwriting of any file we desire.
DETAILS
NOTE:
It is important to note that this project has been discontinued as of July
30, 2000, therefore administrator should not use this product or should
find a replacement for it as soon as possible.
Vulnerable code:
open(DATABASE, ">$path_to_members/$FORM{'id'}/data.txt") ||
&error("Couldn't write $path_to_members/$FORM{'id'}/data.txt");
while ( ($form_key, $form_value) = each(%FORM) ) {
print DATABASE "$form_key$delimiter$form_value\n" unless
( $form_value eq '' || $form_key eq "id" || $form_key =~ "password" ); }
close(DATABASE);
This will open the database of this user and then try to add data to the
database. Now here is what %FORM is filtered by in DPGS.pll:
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
$value =~ s/<([^>]|\n)*>//g;
$value =~ s/<!--(.|\n)*-->//g; #removes any server side includes
$value =~ s/^\s+//; #remove any leading spaces
$value =~ s/\s+$//; #remove any trailing spaces
$value =~ s/$delimiter//g; #remove delimiters if any.
$value =~ s/\"/\"\;/g; #replace quotes with "
$value =~ s/\r\n/<BR>/g; #replace new line characters with <BR>
$FORM{$name} = $value;
}
None of these stops directory transversal or the null byte. So if we sign
up with an id of ../../etc/passwd\0 then the /etc/passwd file will be the
one opened for writing. We can write to any file this way, even
overwriting other user's data.txt files or the administrator data file
'../admin'.
ADDITIONAL INFORMATION
The information has been provided by <mailto:b0iler@eyeonsecurity.net>
b0iler.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] AdvServer Denial of Service Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
