Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

RE: new advisory
From: sj () datanet hu
Date: Mon, 4 Feb 2002 12:05:47 +0100 (CET)
I think some filtering after the line '$q = new CGI;' would help a little

Eg.

my $SECMSG = 'Pliz dont hekk us\n";

if(!defined $q->param('cfg')){ die "missing cfg file\n"; }
my $xx = $q->param('cfg');

if($xx =~ /\.\.|\/\/|\.\//){ die $SECMSG; }
if($xx =~ tr/a-zA-Z0-9_\-//dc){ die $SECMSG; }

you could also check the ownership of $cfgfile and deny opening
root (and maybe other) owned files.


Exploit :

http://www.target.com/cgi-bin/14all.cgi?cfg=../../../../../../../../etc/passwd
http://www.target.com/cgi-bin/14all-1.1.cgi?cfg=../../../../../../../../etc/passwd
http://www.target.com/cgi-bin/traffic.cgi?cfg=../../../../../../../../etc/passwd
http://www.target.com/cgi-bin/mrtg.cgi?cfg=../../../../../../../../etc/passwd



SJ.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]