SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   QNX Demodisk Vendors:   QNX Software Systems Ltd.
QNX Demodisk Web Server Discloses Files to Remote Users
SecurityTracker Alert ID:  1007028
SecurityTracker URL:  http://securitytracker.com/id/1007028
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 22 2003
Impact:   Disclosure of system information, Disclosure of user information

Version(s): 1.1
Description:   A vulnerability was reported in the web server supplied with a QNX Demodisk. A remote user can view arbitrary files on the system.

It is reported that the web server does not properly validate URLs. A remote user can request a specially crafted URL containing '../' directory traversal characters to view files on the system that are located outside of the web document directory.

A demonstration exploit URL is provided:

http://[target]/../../etc/passwd

Impact:   A remote user can view files on the system with the privileges of the web server process.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.qnx.com/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  QNX
Underlying OS Comments:  4.00

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] Local file retrieving in QNX Internet Appliance Toolkit http-daemon (web.server)


Local file retrieving in QNX Internet Appliance Toolkit http-daemon
(web.server)

Vendor-URL: http://www.qnx.com

Description:
--====--

I recently found a 3,5"-disk labeled with QNX-demo on my desk. This is
the "Take the 1.44M Web Challenge!"-disk I got it in 1998. I couldn't find
the demo on the qnx-website, but i found it on another site:
http://public.planetmirror.com/pub/qnx/demodisk/ (v4.00) Anyway, the
webserver doesn't check the url's, so you can view any text-file on the
diskette.

Affected (and tested) versions:
--========--

    v1.1
    Modem v3.03
    Network v4.00
    Network v405
    Modem v405

Vulnerability:
--====--

The document-root of the webserver is /usr/httpd, so type this URL in the
embedded webbrowser:

http://127.1/../../etc/passwd

and you'll see the /etc/passwd:
root::0:0:/usr/httpd:/bin/sh
bin::1:0:/bin:


Thanks for reading, greets to all,

Michael



P.S.: This is my first vulnerability :-)



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC