[UNIX] WebLibs File Disclosure

• Previous message: SecuriTeam: "[UNIX] phpBB Attachment Mod Directory Traversal HTTP POST Injection"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 28 Dec 2004 17:45:49 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  WebLibs File Disclosure
------------------------------------------------------------------------

SUMMARY

WebLibs is "a pretty popular simple little Perl script made available from
 <http://awsd.com/scripts/weblibs/index.shtml> Darryl C. Burgdorf". Due to
improper use of user provided information an attacker can cause the
WebLibs CGI to disclose arbitrary files.

DETAILS

Vulnerable Systems:
 * WebLibs version 1.0 and prior

The security vulnerability as whoever is reading this might guess is
caused by a lack of proper input validation when the weblibs.pl script
reads in a static piece of sensitive data hidden in a hidden <INPUT> tag
embedded inside the dynamically generated web page. This lack of input
validation leads to a typical directory traversal attack (sometimes
directory traversal isn't even needed if the web enviroment is setup in a
particular way) that can be leveraged to read in non-executable text file
from the vulnerable web server that the web server has permission. The
line of Perl code that causes this vulnerability is...

open (FILE,"$FORM{'TextFile'}");
There may be a way to get local files to execute on the system or get the
output from commands like ls -la.

Explotation:
To exploit this vulnerability the attacker/pen tester needs to first save
a copy of the initial generated WebLibs page that asks for the users input
so the script can generate the results for the user. Next after making a
local copy of that page you need to look for the HTML <INPUT> tag that has
a name="TextFile" attribute. For instance <INPUT type=hidden
value="/some/path/to/the/weblibs/input.txt" name="TextFile">

Now simply edit the line to something other non executable server file
like /etc/passwd or /etc/hosts etc to read sensitive private data from the
vulnerable web server which may give the the person attacking a chance at
gaining shell access to the web server. For example edit the HTML line
mentioned above to something like <INPUT type=hidden
value="/../../../../../etc/passwd" name="TextFile"> then save the file and
load it up in your web browser, fill in all the form input fields hit the
submit button and the vulnerable web server will return the contents of
the text file requested if allowed.

Solution:
One possible solution is to not use the hidden <INPUT> tag in the
generated pages from weblibs.pl and instead define $TextFile as a user
installation variable that needs to be filled in only in the beginning by
the script installer so the attacker can't easily manipulate it.

ADDITIONAL INFORMATION

The information has been provided by <mailto:monkey321_1@hotmail.com>
John Bissell.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[UNIX] phpBB Attachment Mod Directory Traversal HTTP POST Injection"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]