Bugtraq: lastlines.cgi path traversal and command execution vulns

["BrainRawt ." <brainrawt () hotmail com>]

Lastlines.cgi path traversal and command execution vulnerabilities
discovered by BrainRawt.

I wasn't planning on submitting this to bugtraq for its not a
widely used cgi but it is still available for download and some
people may be using it.

lastlines.cgi is a script coded by David Powell that allows
a user to view the contents of a logfile specified by the user.

# $unixdir="path/here";
# $error_log is input by the user of the script.

open(FILE, "$unix_dir/$error_log"

This script inproperly filters in the input allowing the traditional
"../../../../../" path traversal chars in return allowing the user
to leave the hard coded $unix_dir and view any file readable by
the webserver.

EX:../../../../../../etc/motd

This script is also missing a "<" in the open() function which
will allow us to execute any command on that remote server that the
webserver has permission to execute.

EX: path/to/error_log;command arg1|

Note: The author has been notified but hasnt replied.

_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com