Portcullis Security Advisory - Directory Traversal Vulnerability in SunPS iRunbook 2.5.2
From: JWC@portcullis-security.comDate: 07/11/02
- Previous message: NGSSoftware Insight Security Research: "Microsoft SQL Server 2000 'BULK INSERT' Buffer Overflow (#NISR11072002)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: JWC@portcullis-security.com To: bugtraq@securityfocus.com Date: Thu, 11 Jul 2002 10:11:54 +0100
Portcullis Security Advisory
Directory Traversal Vulnerability in SunPS iRunbook 2.5.2
Vulnerability discovery and development: John Clayton, Portcullis Security
Testing Services Team Leader
Affected system: SunPS iRunbook Version 2.5.2 complied by Mike Corlett -
15:00 - 8th January 2002 running on Apache 1.3.22 with PHP 4.0.6 - Kernel
version: SunOS 5.8 Generic 108528-12 September 2001 System Type:
SUNW,Sun-Blade-100
Details:
The file none.php used in iRunbook Explorer to view files from the build
snapshot can be manipulated to view any files or folders on the server
providing the web server user has read access to the file and directory. It
was initially achieved by studying the request strings in the links to view
files in the build report and seeing that it makes requests for file paths
with ":" of instead of the usual "/". Thus is was possible to use directory
traversal to view any file or folder. Later it was discovered that the
"..:..:" wasn't needed to traverse directories and the path to the file just
needs to be entered in the web browser after the ?.
Impact:
Any user that can access the webserver can view files and directories on the
system that are usually world readable such as /etc/ and /etc/passwd.
Exploit:
view passwd file -
http:// or
http:// view contents of /etc directory -
http:// or
http:// Copyright © Portcullis Computer Security Limited 2002, All rights reserved
Permission is hereby granted for the electronic redistribution of this
Disclaimer: The information herein contained may change without notice. Use
John Clayton
.:..:etc:passwd:
.:..:etc:
worldwide.
information. It is not to be edited or altered in any way without the
express written consent of Portcullis Computer Security Limited.
of this information constitutes acceptance for use in an AS IS condition.
There are NO warranties, implied or otherwise, with regard to this
information or its use. Any use of this information is at the user's risk.
In no event shall the author/distributor (Portcullis Computer Security
Limited) be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.
Portcullis Computer Security Ltd.
Security Testing Services Team Leader and
Dragon IDS Technical Product Manager
www.portcullis-security.com
