Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Apps :: httpd99.htm

Cached_feed.cgi retrieve arbitrary files



Vulnerability

    cached_feed.cgi

Affected

    Cached_Feed CGI

Description

    CDI found following.   Yet another CGI  that lacks sufficient  (or
    in this case -any-) input  validation, leading to the exposure  of
    readable files on the system.

    The cached_feed CGI supplied  by Moreover.com is used  to retrieve
    news headlines from the Moreover.com site, and then store them for
    retrieval and display within your own local web site.  The program
    accepts two arguments on the  QUERY_STRING;  The news category  to
    retrieve, and the format the headlines should be returned in.  The
    two arguments are supplied to the CGI using a raw query string  in
    the form 'category+format' which in turn becomes $ARGV:

        $category = @ARGV[0];
        $format   = @ARGV[1];

    These two lines comprise the bulk of the data validation performed
    by the CGI.  Here's the flaw in the source:

        # Constants
        $base_dir        = ".";
        $cache_dir       = "$base_dir/cached_newsfeeds";
        $cache_file      = "$cache_dir/".$category.".".$format;

    And a little later on...

        if ($age < $cache_time)
        {
           $feed = &obtain_file($cache_file);
        }

    The 'obtain_file'  function reads  the file  specified and returns
    it's contents.  The CGI wraps  up by printing the contents of  the
    file back to  the browser. '$cache_time'  defaults to 15  minutes.
    This limits the functionality of the exploit a bit as the targeted
    file  needs  to  have  been  created  or  modified  in the last 15
    minutes.

    So, if  your password  file has  been modified  within the last 15
    minutes, the obvious exploit for this flaw will allow an  intruder
    to retrieve the file.  The file will also be retrieved if the  CGI
    is unable to contact the Moreover server or if the Moreover server
    takes longer than 30 seconds to respond.  A crafty intruder  could
    potentially induce  such a  delay using  a ping  flood against the
    victim host.

    Obvious exploit:

        http://victim/cgi-bin/cached_feed.cgi?../../../.+/etc/passwd

Solution

    Fix: Download new version 2.0:

        http://w.moreover.com/dev/cache/


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH