SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Directory Pro (CGI) Vendors:   CosmicFlame.com
Directory Pro CGI-based Web Directory Management Tool Lets Remote Users Obtain Files on the Server
SecurityTracker Alert ID:  1001629
SecurityTracker URL:  http://securitytracker.com/id/1001629
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 29 2001
Impact:   Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  

Description:   A vulnerability has been reported in the Directory Pro perl-based web directory management tool that allows remote users to obtain files located outside of the restricted web directory.

A remote user can use the following type of URL to obtain a file on the server (in this case, it is the file /etc/motd):

http://[targethost]/cgi-bin/directorypro.cgi?want=showcat&show=../../../..//etc/motd%00

Impact:   A remote user can obtain files located outside of the restricted web directory.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.cosmicperl.com/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (NT), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  directorypro.cgi , directory traversal


cgi-script directorypro.cgi is vulnerable to a directory traversal.

http://target/cgi-bin/directorypro.cgi?want=showcat&show=../../../..//etc/motd%00

I didn't looked at the source of the script but it is probably a script
wat normally puts an extension to the requested file.
But bij putting the %00 (NULL) character at the end of your request you
can
bypass this. The extension will be appended but the string is read till
a
NULL character is found, so before the extension.

Didn't find any report of this bug on securityfocus and google.
And didn't inform vendor because i don't know who it is =)

Greetings

marshal (la~onda)
-- 
[ url  : http://www.startplaza.nu | security news & links    ]
[ url  : http://www.heknet.com    | security news & exploits ]

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC