Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Apps :: poll_it.txt

Poll_It CGI arbitrary file retrieval vulnerability




COMMAND

    Poll_It

SYSTEMS AFFECTED

    Poll_It cgi v2.0

PROBLEM

    Adrian Daminato found following.  The CGI is available from:

        http://www.cgi-world.com/pollit.html

    The bug takes place when calling the CGI and passing it parameters
    that overwrite settings initialized in the CGI:

        /cgi-bin/pollit/Poll_It_SSI_v2.0.cgi?data_dir=/etc/passwd%00

    Because the CGI initializes it's internal variables before parsing
    any  form  data,  and  the  method  it  uses  to  parse  form data
    overwrites internal  variables (in  this case,  $data_dir), it  is
    possible to retrieve any files readable by the webserver.

    On line 78 is the line:

        %in = &ReadForm;

    Moving it  above the  local variable  initializations to  line 66,
    causes any internally used  variables to be initialized  after the
    query is processed, therefore  insuring that correct data  is used
    for the form.

    This doesn't appear to change  the usability of the CGI,  and from
    what we can determine, doesn't create any other security  concerns
    (this fact is not 100% certain).

    Same goes for Poll_It_SSI_v2.0.cgi.

SOLUTION

    It should be noted that the Poll_It_v2.0.cgi suffers from the same
    problem as Poll_It_SSI_v2.0.cgi.   The fix is  similar, move  line
    77 (%in = &ReadForm;) to line 66.  Poll_It_v2.0.cgi is in the same
    distro as Poll_It_SSI_v2.0.cgi.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH