Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Apps :: txn-012.txt

directorypro.cgi directory traversal exploit




Tuxtendo Security Advisory
(c) 2001 Tuxtendo
E-Mail: security@tuxtendo.nl
WWW   : http://www.tuxtendo.nl
-------------------------------->


---------------------------
1. Program information
---------------------------
Program Name    : directorypro.cgi
Description     : CGI script
Vendor          : unknown
Program purpose : directorypro.cgi is a CGI script to index and view files in directory structures.
Bug Found by    : Marshal (la~onda) ( marshal@tuxtendo.nl )
Tuxtendo ID     : TXN-0108-2001-TX02
Date            : 01-08-2001

---------------------------
2. Problem Description
---------------------------
directorypro.cgi contains two problems.
It allows directory traversal and allows to terminate the pre-set prefix bij adding %00 to
the end of your request.

Normally directorypro.cgi adds a set prefix to the file your requested but you can evade this by
adding %00 to the end of your request. %00 is the NULL character and prevents directorypro.cgi
from reading further in the buffer.

---------------------------
3. Exploit
---------------------------

http://target/cgi-bin/directorypro.cgi?want=showcat&show=../../../../etc/motd%00

---------------------------
4. Solution
---------------------------
Use another script, check out www.hotscripts.com for other scripts.

---------------------------
5. Vendor status
---------------------------
Vendor was not contacted but replied on my post to
bugtraq (05/27/2001, "directorypro.cgi , directory traversal"),
stating he would fix the problem.

The vendor was not contacted because we couldn't find more information about
the script what would lead us to the vendor.

------------------------------------>
DISCLAIMER:
This advisory does not claim to be complete or to be usable for any purpose.
Especially information on the vulnerable systems may be inaccurate 
Possibly supplied exploit code is not to be used for malicious , but for educational
purposes only.
This advisory is free for open distribution in unmodified form.
Articles that are based on information from this advisory should include link to
www.tuxtendo.nl
------------------------------------>
For more information regarding this 
bug or other information E-Mail:
security@tuxtendo.nl



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH