Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[HSC] Multiple transversal bug in vis

from [spher3] Network Security [Permanent Link]
Subject: [HSC] Multiple transversal bug in vis
Date: 26 Jan 2006 15:32:40 -0000 
Hackers Center Security Group (http://www.hackerscenter.com/) 
spher3's Security Advisory 

Multiple transversal bug in vis.pl 


-------------------------------------------------------------------------- 

Description: 

Vis.pl is a perl script which manages files in order to show these; 
you can find it in e-cms default files. The vulnerability taken in 
exam is classifiable as transversal bug. In fact can show to everybody 
files such as passwords or accounts. 

-------------------------------------------------------------------------- 

Code Details: 

Vis.pl doesn't control cgi query except for: 

[...] 

if ( -e $datFile ) 
{ 
open ( DAT_FILE, "$datFile" ); 

[...] 

This function controls only the file existence. 
Then the script start to open the file without check dangerous 
characters as "." and "/". 
So is simply to access where you want: 

http://[target]/cgi-bin/e-cms/vis/vis.pl?s=001&p=../../../../etc/passwd%00 

All variables that open files are unsafe: 

http://[target]/cgi-bin/e-cms/vis/vis.pl?s=../../../../etc/passwd%00 

-------------------------------------------------------------------------- 

How to fix: 

You can fix this script with remove those dangerouse characters as taught 
from W3C WWW Security FAQ. Just adding a line: 

$datFile = s/\.\.//g; 

You have to insert a line like this for ALL variables which contain files 
to open.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [HSC] Multiple transversal bug in vis, spher3 <=
Previous by Date:  [ISecAuditors Advisories] Arbitrary flash code remote execution in 123flashchat, ISecAuditors Security Advisories
Next by Date:  [eVuln] AndoNET Blog SQL Injection Vulnerability, alex
Previous by Thread:  [ISecAuditors Advisories] Arbitrary flash code remote execution in 123flashchat, ISecAuditors Security Advisories
Next by Thread:  [eVuln] AndoNET Blog SQL Injection Vulnerability, alex
Indexes:  [Date] [Thread] [Top] [All Lists]