CGIForum "thesection" Directory Traversal Vulnerability
BID:1963
Info
CGIForum "thesection" Directory Traversal Vulnerability
| Bugtraq ID: | 1963 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | Nov 20 2000 12:00AM |
| Updated: | Nov 20 2000 12:00AM |
| Credit: | Reported to bugtraq by zorgon <[email protected]> on Mon, 20 Nov 2000. |
| Vulnerable: |
Markus Triska CGIForum 1.0 |
| Not Vulnerable: | |
Discussion
CGIForum "thesection" Directory Traversal Vulnerability
CGIForum is a commercial cgi script from Markus Triska which is designed to facilitate web-based threaded discussion forums.
The script improperly validates user-supplied input to the "thesection" parameter. If an attacker supplies a carefully-formed URL contaning '/../' sequences as argument to this parameter, the script will traverse the normal directory structure of the application in order to find the specified file. As a result, it is possible to remotely view arbitrary files on the host which are readable by user 'nobody'.
CGIForum is a commercial cgi script from Markus Triska which is designed to facilitate web-based threaded discussion forums.
The script improperly validates user-supplied input to the "thesection" parameter. If an attacker supplies a carefully-formed URL contaning '/../' sequences as argument to this parameter, the script will traverse the normal directory structure of the application in order to find the specified file. As a result, it is possible to remotely view arbitrary files on the host which are readable by user 'nobody'.
Exploit / POC
CGIForum "thesection" Directory Traversal Vulnerability
http://127.0.0.1/cgi-bin/cgiforum.pl?thesection=../../../../../../etc/passwd%00
http://127.0.0.1/cgi-bin/cgiforum.pl?thesection=../../../../../../etc/passwd%00
Solution / Fix
CGIForum "thesection" Directory Traversal Vulnerability
Solution:
Excerpted from vendor's advisory (http://www.dcscripts.com/dcforum/dcfNews/124.html)
--------
FIX - In dcboard.cgi and dcadmin.cgi, after
$r_in = \%in;
ADD
$r_in->{'forum'} =~ s/\W//g;
NOTE - That's an uppercase W.
Please apply this patch as soon as possible.
-------------------------
David
--------
Solution:
Excerpted from vendor's advisory (http://www.dcscripts.com/dcforum/dcfNews/124.html)
--------
FIX - In dcboard.cgi and dcadmin.cgi, after
$r_in = \%in;
ADD
$r_in->{'forum'} =~ s/\W//g;
NOTE - That's an uppercase W.
Please apply this patch as soon as possible.
-------------------------
David
--------
References
CGIForum "thesection" Directory Traversal Vulnerability
References:
References:
- CGIForum download (Markus Triska)
- CGIForum Homepage (Markus Triska)