eXtropia: the open web technology company
Technology | Support | Tutorials | Development | About Us | Users | Contact Us
Development resources
 ::   WebWare 2.1 (Perl)
 ::   WebWare 2.0 (Java)
 ::   Cool hacks
cool hacks
Security - WebBanner expose user password!  
informed us about a security vulnerability. So here it is!

Here's the email.

One of our subscribers has reported a security vulnerability with your product. The description of this vulnerability is attached below. We would like to know if you are aware of this problem, and whether you have some solution for it.


Description
At your browser, type simply
http://yourdomain/random_banner/index.cgi?image_list=alternative_image.list& html_file=../../../../../etc/passwd

should view passwd file as user nobody. (if server is serving page as user nobody ...)

I have try to execute a command with |, but it will not work always, because the script is running standard with -T option #!/usr/bin/perl -T, you can first view the script code with above way, check if there is a -T option, if not, you can execute any command as nobody user ( ....&html_file=|ls -la| )

Solution
A snippet of script index.cgi at line 195 without comments

---[ line 195 + ]-------------------------------------------------

open (HTML_VIRTUAL, "$html_file") ||
       &CgiDie (" blablabla... ");
while ()
{
if (/\<!--IMG GOES HERE--\>/)
{
  print qq!
  <A HREF = "$random_url">
  <IMG SRC = "$image_url/$random_image"></A>!;
} else

  print "$_";
  }
  }
  close (HTML_VIRTUAL);
------------------------------------------------------------------

above snippet is not save code, to make them safier Good code must be seems like this
---[ change above snippet to this snippet! ]----------------------

  $html_file =~ s/\%([\d\w]{2})/pack('c',hex($1))/gie;

  if( $html_file =~ /\.\.\/|\|/ )
  {
  &CgiDie( "Not allowed... " );
  } else {
  open (HTML_VIRTUAL, "$html_file") ||
  &CgiDie ( "I'm sorry, but I was unable to open the requested
  HTML file in the Insert Random Banner Into Page routine.  The
         value I have is $html_file.  Would you please check the path and
          the permissions for the file." );
  while ()
  {
  if (/\<!--IMG GOES HERE--\>/)
  {
  print qq!
  <A HREF = "$random_url">
  <IMG SRC = "$image_url/$random_image"></A>!;
  } else
 
  print "$_";
  }
  }
  close (HTML_VIRTUAL);
  }
------------------------------------------------------------------

Then you can get alone a file on current directory or upper directory.