[UNIX] WebLibs File Disclosure
From: SecuriTeam (support_at_securiteam.com)
Date: 12/28/04
- Previous message: SecuriTeam: "[UNIX] phpBB Attachment Mod Directory Traversal HTTP POST Injection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 28 Dec 2004 17:45:49 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
WebLibs File Disclosure
------------------------------------------------------------------------
SUMMARY
WebLibs is "a pretty popular simple little Perl script made available from
<http://awsd.com/scripts/weblibs/index.shtml> Darryl C. Burgdorf". Due to
improper use of user provided information an attacker can cause the
WebLibs CGI to disclose arbitrary files.
DETAILS
Vulnerable Systems:
* WebLibs version 1.0 and prior
The security vulnerability as whoever is reading this might guess is
caused by a lack of proper input validation when the weblibs.pl script
reads in a static piece of sensitive data hidden in a hidden <INPUT> tag
embedded inside the dynamically generated web page. This lack of input
validation leads to a typical directory traversal attack (sometimes
directory traversal isn't even needed if the web enviroment is setup in a
particular way) that can be leveraged to read in non-executable text file
from the vulnerable web server that the web server has permission. The
line of Perl code that causes this vulnerability is...
open (FILE,"$FORM{'TextFile'}");
There may be a way to get local files to execute on the system or get the
output from commands like ls -la.
Explotation:
To exploit this vulnerability the attacker/pen tester needs to first save
a copy of the initial generated WebLibs page that asks for the users input
so the script can generate the results for the user. Next after making a
local copy of that page you need to look for the HTML <INPUT> tag that has
a name="TextFile" attribute. For instance <INPUT type=hidden
value="/some/path/to/the/weblibs/input.txt" name="TextFile">
Now simply edit the line to something other non executable server file
like /etc/passwd or /etc/hosts etc to read sensitive private data from the
vulnerable web server which may give the the person attacking a chance at
gaining shell access to the web server. For example edit the HTML line
mentioned above to something like <INPUT type=hidden
value="/../../../../../etc/passwd" name="TextFile"> then save the file and
load it up in your web browser, fill in all the form input fields hit the
submit button and the vulnerable web server will return the contents of
the text file requested if allowed.
Solution:
One possible solution is to not use the hidden <INPUT> tag in the
generated pages from weblibs.pl and instead define $TextFile as a user
installation variable that needs to be filled in only in the beginning by
the script installer so the attacker can't easily manipulate it.
ADDITIONAL INFORMATION
The information has been provided by <mailto:monkey321_1@hotmail.com>
John Bissell.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] phpBB Attachment Mod Directory Traversal HTTP POST Injection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [UNIX] phpSysInfo Multiple Vulnerabilities (HTTP_ACCEPT_LANGUAGE, sensor_program, VERSION, charset)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Multiple vulnerabilities have
been discovered in phpSysInfo allowing ... the attacker to additionally inject the
$lng parameter. ... $sensor_program can *still* be used to inject active ... (Securiteam) - [NT] Directory Traversal In CProxy
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... directory traversal attack and
thus gain access to arbitrary files located ... on the CProxy Server system. ...
filtering allows a remote attacker to gain attack to arbitrary files on ... (Securiteam) - [NT] Xedus Webserver Directory Traversal and DoS
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... The Xedus web server is
vulnerable to a directory traversal. ... this vulnerability constitutes a denial of ...
(Securiteam) - [UNIX] KDE URI handler vulnerabilities
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... A bug in KDE can be used
by an attacker to create or truncate arbitrary ... The KDE URI handler does not
perform adequate filtering ... (Securiteam) - [NT] PicoWebServer Unicode Stack Overflow
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... A buffer overflow vulnerability
has been discovered in PicoWebServer, ... exploiting this vulnerability allows a remote attacker
to run arbitrary ... an attacker can trigger a stack overflow and cause the ...
(Securiteam)
