what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

cached_feed.cgi.txt

cached_feed.cgi.txt
Posted Oct 5, 2000
Authored by CDI | Site thewebmasters.net

Cached_Feed.cgi v1.0 from here.

tags | exploit, cgi
SHA-256 | 58833a60a07b6e7617ac6adbcde536677a6818e5d40950bc51da81bb9684196b

cached_feed.cgi.txt

Change Mirror Download
-----------------------------------------------------------
Arbitrary File Disclosure in Moreover.com's Cached_Feed.cgi

Application: cached_feed.cgi
Vendor: Moreover.com
Version: 1.0, Last Updated 4.July.00

Note, the version is implied. They never actually put a version
number in the file, just a "last updated" date.

Vendor Status: Notified, although they fixed it prior to my notification
to them.

Fix: Download new version 2.0.
http://w.moreover.com/dev/cache/

Synopsis:
*yawn* Yet another CGI that lacks sufficient (or in this case -any-)
input validation, leading to the exposure of readable files on the
system.

Description:
The cached_feed CGI supplied by Moreover.com is used to retrieve news
headlines from the Moreover.com site, and then store them for retrieval
and display within your own local web site. The program accepts two
arguments on the QUERY_STRING; The news category to retrieve, and the
format the headlines should be returned in. The two arguments are supplied
to the CGI using a raw query string in the form 'category+format' which
in turn becomes $ARGV:

$category = @ARGV[0];
$format = @ARGV[1];

These two lines comprise the bulk of the data validation performed by the
CGI. Here's the flaw in the source:

# Constants
$base_dir = ".";
$cache_dir = "$base_dir/cached_newsfeeds";
$cache_file = "$cache_dir/".$category.".".$format;

And a little later on...

if ($age < $cache_time)
{
$feed = &obtain_file($cache_file);
}

The 'obtain_file' function reads the file specified and returns it's
contents. The CGI wraps up by printing the contents of the file back to
the browser. '$cache_time' defaults to 15 minutes. This limits the
functionality of the exploit a bit as the targeted file needs to have been
created or modified in the last 15 minutes.

So, if your password file has been modified within the last 15 minutes,
the obvious exploit for this flaw will allow an intruder to retrieve the
file. The file will also be retrieved if the CGI is unable to contact the
Moreover server or if the Moreover server takes longer than 30 seconds to
respond. A crafty intruder could potentially induce such a delay using a
ping flood against the victim host.

Obvious Exploit:
http://victim/cgi-bin/cached_feed.cgi?../../../.+/etc/passwd

Vendor Status:
I first started playing with the CGI on Sept 5th. During my testing I
accidently tipped off Moreover by not immediately disabling the headline
retrieval function while I was testing. This means that Moreover's server
valiantly attempted to handle a few requests containing '/etc/passwd'
attempts. (I was trying to yank the password file off my own server, not
Moreovers) Apparently someone at Moreover was actually paying attention,
because on Sept 10th, they issued an updated verion of the CGI containing
the following change notes:

# Version 2
# ---------
# In this version:
<snip>
# o Potential security hole fixed

Their fixes included exiting if unable to contact the Moreover server to
retrieve the headlines, as well as munging the requested cache file to
prevent directory traversal. (It still doesn't really validate - just
munges. *sigh*)

CDI
____________________________________
The Web Master's Net
http://www.thewebmasters.net/
"We're sysadmins. We do remember. We don't forgive."
-- Mike Andrews in the Monastery

Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close