Sojourn File Access Vulnerability

BID:1052

Info

Sojourn File Access Vulnerability

Bugtraq ID: 1052
Class: Input Validation Error
CVE:
Remote: Yes
Local: Yes
Published: Mar 14 2000 12:00AM
Updated: Mar 14 2000 12:00AM
Credit: Discovered by the Cerberus Security Team. Publicized in a Cerberus Information Security Advisory (CISADV000313) released March 13, 2000.
Vulnerable: Generation Terrorists Designs & Concepts Sojourn 2.0
Not Vulnerable:

Discussion

Sojourn File Access Vulnerability

Any file that the webserver has read access to can be read on a server running the Sojourn search engine.

The Sojourn software includes the ability to organize a website into categories. These categories can then be accessed via the sojourn.cgi Perl script. This is done by making a request for a URL like:

http ://target/cgi-bin/sojourn.cgi?cat=categoryname

Each category has an associated .txt file based on the category name. The program appends the .txt extension onto the contents of the 'cat' variable. However, the program will accept and follow the '../' string in the variable contents, allowing read access to any .txt file the webserver can read.

This restriction can be bypassed by appending %00 to the end of the requested file, which will prevent the .txt extension from being used in the filename.

Exploit / POC

Sojourn File Access Vulnerability

http ://target/cgi-bin/sojourn.cgi?cat=../../../../../../etc/passwd%00

Solution / Fix

Sojourn File Access Vulnerability

Solution:
A patched version of Sojourn has been released. Contact the vendor for more information.
<[email protected]>

References

Sojourn File Access Vulnerability

References:
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report