SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Forum/Board/Portal)  >  Face Control Vendors:  Elido Media
Face Control Input Validation Hole in 'vis.pl' Lets Remote Users Traverse the Directory
SecurityTracker Alert ID:  1015547
SecurityTracker URL:  http://securitytracker.com/id?1015547
CVE Reference:  CVE-2006-0484   (Links to External Site)
Updated:  Feb 4 2006
Original Entry Date:  Jan 27 2006
Impact:  Disclosure of system information, Disclosure of user information
Fix Available:  Yes   Exploit Included:  Yes   Vendor Confirmed:  Yes  
Description:  spher3 of Hackers Center Security Group reported a vulnerability in Face Control. A remote user can view files on the target system.

The 'vis.pl' script does not properly validate user-supplied input in the 's' and 'p' parameters. A remote user can supply a URL with a specially crafted parameter value to view files on the target system.

Other parameters may also be affected.

Some demonstration exploit URLs are provided:

http://[target]/cgi-bin/e-cms/vis/vis.pl?s=001&p=../../../../etc/passwd%00

http://[target]/cgi-bin/e-cms/vis/vis.pl?s=../../../../etc/pas swd%00
Impact:  A remote user can view files on the target system with the privileges of the target web service.
Solution:  The vendor has issued a fix and has provided customers with the update.
Vendor URL:  facecontrol.net/ (Links to External Site)
Cause:  Input validation error
Underlying OS:  Linux (Any), UNIX (Any)
Reported By:  "spher3" <spher3@hackerscenter.com>
Message History:   None.

 Source Message Contents
Date:  Thu, 26 Jan 2006 15:21:38 +0100
From:  "spher3" <spher3@hackerscenter.com>
Subject:  [HSC] Multiple transversal bug in vis

 
Hackers Center Security Group (http://www.hackerscenter.com/)
spher3's Security Advisory
 
Multiple transversal bug in vis.pl
 
--------------------------------------------------------------------------
Description:
Vis.pl is a perl script which manages files in order to show these;
you can find it in e-cms default files. The vulnerability taken in
exam is classifiable as transversal bug. In fact can show to everybody
files such as passwords or accounts.
--------------------------------------------------------------------------
Code Details:
Vis.pl doesn't control cgi query except for:
[...]
if ( -e $datFile )
{
open ( DAT_FILE, "$datFile" );
[...]
This function controls only the file existence.
Then the script start to open the file without check dangerous
characters as "." and "/".
So is simply to access where you want:
http://[target]/cgi-bin/e-cms/vis/vis.pl?s=001&p=../../../../etc/passwd%00
All variables that open files are unsafe:
http://[target]/cgi-bin/e-cms/vis/vis.pl?s=../../../../etc/passwd%00
--------------------------------------------------------------------------
How to fix:
You can fix this script with remove those dangerouse characters as taught
from W3C WWW Security FAQ. Just adding a line:
$datFile = s/\.\.//g;
You have to insert a line like this for ALL variables which contain files
to open.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2006, SecurityGlobal.net LLC