lastlines.cgi path traversal and command execution vulns

From: BrainRawt . (brainrawt@hotmail.com)
Date: 12/30/01 

From: "BrainRawt ." <brainrawt@hotmail.com>
To: bugtraq@securityfocus.com
Date: Sun, 30 Dec 2001 18:27:29 +0000

Lastlines.cgi path traversal and command execution vulnerabilities
discovered by BrainRawt.

I wasn't planning on submitting this to bugtraq for its not a
widely used cgi but it is still available for download and some
people may be using it.

lastlines.cgi is a script coded by David Powell that allows
a user to view the contents of a logfile specified by the user.

# $unixdir="path/here";
# $error_log is input by the user of the script.

open(FILE, "$unix_dir/$error_log"

This script inproperly filters in the input allowing the traditional
"../../../../../" path traversal chars in return allowing the user
to leave the hard coded $unix_dir and view any file readable by
the webserver.

EX:../../../../../../etc/motd

This script is also missing a "<" in the open() function which
will allow us to execute any command on that remote server that the
webserver has permission to execute.

EX: path/to/error_log;command arg1|

Note: The author has been notified but hasnt replied.

_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail.
http://www.hotmail.com

Relevant Pages

  • Re: Writing a "Hello world" HTML page from perl script ?
    ... page from a perl script? ... First thing to note is that something has to execute the Perl script - and ... You need to run a webserver and then have the webserver run the script via ... you can't typically persuade a browser to execute a Perl ...
    (comp.lang.perl.misc)
  • Re: Will Linux become as vulnerable as MS ??
    ... > beeing vulnerable to viruses. ... > that they know are executable, and execute intentionally. ... >> Linux, each distro is a little different, and even within the distro, ... > Since clicking on a script is easier than typing it's name, ...
    (comp.os.linux.security)
  • Re: [Full-Disclosure] ColdFusion cross-site scripting security vulnerability of an error page
    ... > execute the arbitrary javascript and HTML code which the attacker ... > It is possible to display the contents transmitted from the client ... > cross-site scripting attack can be executed. ... the script will be executed when the script for an attack ...
    (Full-Disclosure)
  • CGIscript.net - csMailto.cgi - Remote Command Execution
    ... CGIscript.net - csMailto.cgi - Remote Command ... csMailto is a perl cgi formmail script developed by ... execute command on server and mail output to anyone ...
    (Bugtraq)
  • Re: Extracting data from an XML to put into a constant
    ... ExecuteGlobal "Const cnUB = 9" ... The following script causes the same error. ... Ordinary variables and constants defined with execute statements have ... no value until their defining statement is executed at run time. ...
    (microsoft.public.scripting.vbscript)