Sojourn File Access Vulnerability
BID:1052
Info
Sojourn File Access Vulnerability
| Bugtraq ID: | 1052 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | Mar 14 2000 12:00AM |
| Updated: | Mar 14 2000 12:00AM |
| Credit: | Discovered by the Cerberus Security Team. Publicized in a Cerberus Information Security Advisory (CISADV000313) released March 13, 2000. |
| Vulnerable: |
Generation Terrorists Designs & Concepts Sojourn 2.0 |
| Not Vulnerable: | |
Discussion
Sojourn File Access Vulnerability
Any file that the webserver has read access to can be read on a server running the Sojourn search engine.
The Sojourn software includes the ability to organize a website into categories. These categories can then be accessed via the sojourn.cgi Perl script. This is done by making a request for a URL like:
http ://target/cgi-bin/sojourn.cgi?cat=categoryname
Each category has an associated .txt file based on the category name. The program appends the .txt extension onto the contents of the 'cat' variable. However, the program will accept and follow the '../' string in the variable contents, allowing read access to any .txt file the webserver can read.
This restriction can be bypassed by appending %00 to the end of the requested file, which will prevent the .txt extension from being used in the filename.
Any file that the webserver has read access to can be read on a server running the Sojourn search engine.
The Sojourn software includes the ability to organize a website into categories. These categories can then be accessed via the sojourn.cgi Perl script. This is done by making a request for a URL like:
http ://target/cgi-bin/sojourn.cgi?cat=categoryname
Each category has an associated .txt file based on the category name. The program appends the .txt extension onto the contents of the 'cat' variable. However, the program will accept and follow the '../' string in the variable contents, allowing read access to any .txt file the webserver can read.
This restriction can be bypassed by appending %00 to the end of the requested file, which will prevent the .txt extension from being used in the filename.
Exploit / POC
Sojourn File Access Vulnerability
http ://target/cgi-bin/sojourn.cgi?cat=../../../../../../etc/passwd%00
http ://target/cgi-bin/sojourn.cgi?cat=../../../../../../etc/passwd%00
Solution / Fix
Sojourn File Access Vulnerability
Solution:
A patched version of Sojourn has been released. Contact the vendor for more information.
<[email protected]>
Solution:
A patched version of Sojourn has been released. Contact the vendor for more information.
<[email protected]>
References
Sojourn File Access Vulnerability
References:
References:
- Sojourn Home Page (Generation Terrorists Designs & Concepts)