Bugtraq: CGIs that accept file: URL schemes

[Benjamin Elijah Griffin <bgriffin () CDDB COM>]

Some CGI programs operate on webpages and accept URLs of
the page to operate upon. This is all fine and good until
the program does not limit the URL schemes it accepts
properly. (The scheme is the part before the first colon,
eg 'http', 'https', and 'mailto'.)

Some months ago I noticed that there is a well known HTML
validator which is quite willing to accept file: URLs. It
then reads in the local file and attempts to validate it
as HTML, printing error messages along the way that reveal
the content of the file. This allows remote reading of any
file on the system available with the privileges of the
webserver.

I notified the maintainer of this validation service in
mid-March. I notice today it says it was last updated the
end of June, but it still validates <URL:file:///etc/fstab>
when requested.

I don't want to disclose the validator that does this,
because I think it affects only a single system, but I
do want to expose the problem of 'file' scheme URLs.

Benjamin