SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Database)  >   Informix Vendors:   IBM
Informix Database May Disclose Files on the System to Remote Users
SecurityTracker Alert ID:  1002811
SecurityTracker URL:  http://securitytracker.com/id/1002811
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 23 2001
Impact:   Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  

Description:   A vulnerability has been reported in several sites running Informix. A remote user can obtain any file on the system.

A remote user can reportedly view any file on the system by using the '/../' string in the URL request. The sites where this flaw was discovered were apparently using Informix with the Netscape-Enterprise/4.0 server on the Solaris UNIX operating system.

On the affected sites, the image files are linked as such:

http://[targethost]/ifx/?
LO=00000001a6b7c8d900000003000000030004334d
38e02543000000000001eb800000000000000000000
0000000000000000000000000000000000000000000
000000000000000000

This apparently causes the Web DataBlade Module to retrieve an image from the wbBinaries system table.

A remote user can obtain the contents of a directory (for example, the /etc directory) by using the following type of URL:

http://[targethost]/ifx/?LO=../../../etc/

Files can also be retrieved via this method.

Impact:   A remote user can retrieve files from the system that are readable by the Web DataBlade Module.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.informix.com/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  double dot vulnerability on a site running Informix database.


Mailer: SecurityFocus

I found a doubledot vulnerability on a site running 
Informix database. I can read of any file on the 
system by putting /../ into the url. But so far I have 
only found two sites with this problem. 
The site is running Netscape-Enterprise/4.0 on 
Solaris according to Netcraft.com

On the site All image files are linked like this:
http://site.com/ifx/?
LO=00000001a6b7c8d900000003000000030004334d
38e02543000000000001eb800000000000000000000
0000000000000000000000000000000000000000000
000000000000000000 

This is a part of fetching an image from the 
wbBinaries system table. The Web DataBlade 
Module provides wbBinaries for storing large binary 
resources such as images, sounds, and videos.  

But if I want to get the content of etc directory:
http://site.com/ifx/?LO=../../../etc/

or even: 
http://site.com/ifx/?LO=../../../etc/passwd


So, is this a widespead bug?

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC