Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Apps A-M :: lnx4873.htm

Informix wbBinaries allows to read system files



26th Nov 2001 [SBWID-4873]
COMMAND

	Informix wbBinaries allows to read system files

SYSTEMS AFFECTED

	Informix v.??

PROBLEM

	Beck Mr.R says :
	

	I found a doubledot vulnerability on a site running  Informix  database.
	I can read of any file on the system by putting /../ into the  url.  But
	so far I have only found two  sites  with  this  problem.  The  site  is
	running Netscape-Enterprise/4.0 on Solaris according to Netcraft.com
	 

	On the site All image files are linked like this:
	 

	http://site.com/ifx/? 

	LO=00000001a6b7c8d900000003000000030004334d 

	38e02543000000000001eb800000000000000000000 

	0000000000000000000000000000000000000000000 

	000000000000000000  

	 

	This is a part of fetching an image from the  wbBinaries  system  table.
	The Web DataBlade Module provides wbBinaries for  storing  large  binary
	resources such as images, sounds, and videos.
	 

	But if I want to get the content of etc directory:
	 

	http://site.com/ifx/?LO=../../../etc/ 

	

	or even:
	 

	http://site.com/ifx/?LO=../../../etc/passwd 

	

	

	 

SOLUTION

	Nothing yet


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH