SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Man Page Lookup Vendors:   Collington, Andrew
Man Page Lookup $cmd Input Validation Flaw Discloses Files to Remote Users
SecurityTracker Alert ID:  1008689
SecurityTracker URL:  http://securitytracker.com/id/1008689
CVE Reference:   CVE-2004-0071   (Links to External Site)
Updated:  Jan 20 2004
Original Entry Date:  Jan 13 2004
Impact:   Disclosure of system information, Disclosure of user information
Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   A vulnerability was reported in Man Page Lookup. A remote user can view files on the system with the privileges of the target web service.

It is reported that the 'class.manpagelookup.php' script does not properly validate user-supplied input. A remote user can specify an absolute path filename to view the specified file. A demonstration exploit URL is provided:

http://[target]/manpage/index.php?command=/etc/resolv.conf

The flaw reportedly resides in the buildManPage() function.

Impact:   A remote user can view files on the target system with the privileges of the web server process.
Solution:   The vendor reportedly issued a fix on January 2, 2004, available at:

http://php.amnuts.com/index.php?do=fdload&id=1&file=class.manpagelookup.php

Vendor URL:  php.amnuts.com/index.php?do=view&id=1 (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  PHP Manpage lookup directory transversal / file disclosing


Hi ppl,

_Manpage Lookup_ is a PHP class that helps you to build a "manpage"
frontend in php. It is powered by Andy (http://php.amnuts.com).

The script _class.manpagelookup.php_ was vulnerable to a directory
transversal bug (because of leaks is input validation) that could lead
to disclose any readable (by the httpd process id) files on the remote
server.

The problem was located in the function buildManPage(), the $cmd
variable was not filtered enough and the path of any file to open could
be given across the user input.

Exploiting this issue was easy: 
http://www.foo.com/manpage/index.php?command=/etc/resolv.conf

The vulnerability has now been fixed by Andy. All people who are running
this script should upgrade asap (http://php.amnuts.com).

Best regards,

--
iSECURELABS.COM - http://www.isecurelabs.com

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC