adstreamer.txt

adstreamer.txt: Posted Dec 26, 2001; Authored by Gobbles Security | Site bugtraq.org; AdStreamer is a cgi package with several remote vulnerabilities, one of which allows remote command execution. Buggy open calls were found in addbanner.cgi, banner.cgi, bannereditor.cgi, and report2.cgi.; tags | exploit, remote, cgi, vulnerability; SHA-256 | b45aa093198822646a56eced2418259c61c1cd33a6793264a56045e50d87c79a; Download | Favorite | View

adstreamer.txt


[[ RFP's note:

I have verified this vulnerability in the current version on the site
indicated below.  The most severe problem would be that the
"$input{'cat'}.dat" open in banner.cgi would allow an attacker to run
commands (the 'cat' parameter is not double-checked/filtered in any way).
The other CGIs are less severe because they (should) be kept out of access
by the public, since they let you admin the whole banner system without
any native auth. ]]

----------------------------------------------------------------------------

PRODUCT
*******

AdStreamer
http://www.sha-la-la.com/adstreamer/

DESCRIPTION
***********

This software have many an open call that can exploited with Perl tricks
like ../, %00, |, etc.

bash-2.05$ egrep 'open|system|exec|eval' *.cgi
addbanner.cgi:#         This script is apart of the Banner Manager system.
It will add banners
addbanner.cgi:open(HEADERFILE, "banner/$thebannercat.dat") || die("error
opening the file $thebannercat.dat");
addbanner.cgi:open(HEADERFILE, ">banner/$thebannercat.dat") || die("error
opening the file $thebannercat.dat");
addbanner.cgi:  open(HEADERFILE, ">>banner/$logfile") || die("error opening
the file $logfile");
addbanner.cgi:  open(HEADERFILE, ">banner/$logfile") || die("error opening
the file $logfile");
banner.cgi:#            This script is apart of the Banner Manager system.
It adds banner
banner.cgi:open(HEADERFILE, "$input{'cat'}.dat") || die("error opening the
file $input{'cat'}.dat");
banner.cgi:open(HEADERFILE, ">$input{'cat'}.dat") || die("error opening the
file $input{'cat'}.dat");
banner.cgi:     open(HEADERFILE, ">>$logfile") || die("error opening the
file $logfile");
banner.cgi:     open(HEADERFILE, ">$logfile") || die("error opening the file
$logfile");
bannereditor.cgi:#              This script is apart of the Banner Manager
system.  It preforms banner
bannereditor.cgi:open(HEADERFILE, "titles.dat") || die("error opening the
file titles.dat");
bannereditor.cgi:       open(HEADERFILE, "$input{'cat'}.dat") || die("error
opening the file $input{'cat'}.dat");
bannereditor.cgi:       open(HEADERFILE, ">$input{'cat'}.dat") || die("error
opening the file $input{'cat'}.dat");
bannereditor.cgi:       open(HEADERFILE, "$input{'cat'}.dat") || die("error
opening the file $input{'cat'}.dat");
bannereditor.cgi:       open(HEADERFILE, "categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi:       open(HEADERFILE, ">categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi:       open(HEADERFILE, ">ref.dat") || die("error opening
the file ref.dat");
bannereditor.cgi:       open(HEADERFILE, ">titles.dat") || die("error
opening the file titles.dat");
bannereditor.cgi:       open(HEADERFILE, "categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi:               open(HEADERFILE, "$cat.dat") || die("error
opening the file $cat.dat");
bannereditor.cgi:               open(HEADERFILE, ">$cat.dat") || die("error
opening the file $cat.dat");
bannereditor.cgi:       open(HEADERFILE, "categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi:               open(HEADERFILE, "$cat.dat") || die("error
opening the file $cat.dat");
bannereditor.cgi:       open(HEADERFILE, ">>ref.dat") || die("error opening
the file ref.dat");
bannereditor.cgi:       open(HEADERFILE, ">>titles.dat") || die("error
opening the file titles.dat");
bannereditor.cgi:       open(HEADERFILE, "categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi:       open(HEADERFILE, "categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi:                       open(HEADERFILE, "$cat.dat") ||
die("error opening the file $cat.dat");
bannereditor.cgi:                       open(HEADERFILE, ">>$cat.dat") ||
die("error opening the file $cat.dat");
bannereditor.cgi:       open(HEADERFILE, ">$input{'newcat'}.dat") ||
die("error opening the file $input{'newcat'}.dat");
bannereditor.cgi:       open(HEADERFILE, ">>categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi:       open(HEADERFILE, "categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi:               open(HEADERFILE, "$cat.dat") || die("error
opening the file $cat.dat");
bannereditor.cgi:       open(HEADERFILE, "categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi:       open(HEADERFILE, "ref.dat") || die("error opening
the file ref.dat");
jump.cgi:#              This script is apart of the Banner Manager system.
It recieves every
jump.cgi:open(HEADERFILE, "ref.dat") || die("error opening the file
ref.dat");
jump.cgi:               open(HEADERFILE, ">>$logfile") || die("error opening
the file $logfile");
jump.cgi:               open(HEADERFILE, ">$logfile") || die("error opening
the file $logfile");
report2.cgi:#           This script is apart of the Banner Manager system.
It generates reports
report2.cgi:open(HEADERFILE, "titles.dat") || die("error opening the file
titles.dat");
report2.cgi:opendir(LOGDIR, ".") || die("error");
report2.cgi:    open(HEADERFILE, "$file.log") || die("error opening the file
$file.log");
report2.cgi:opendir(LOGDIR, ".") || die("error");
report2.cgi:    open(HEADERFILE, "$file.log") || die("error opening the file
$file.log");
report2.cgi:opendir(LOGDIR, ".") || die("error");
report2.cgi:    open(HEADERFILE, "$file.log") || die("error opening the file
$file.log");
report2.cgi:open(HEADERFILE, "categories.dat") || die("error opening the
file categories.dat");
report2.cgi:opendir(LOGDIR, ".") || die("error");
report2.cgi:open(HEADERFILE, "categories.dat") || die("error opening the
file categories.dat");
report2.cgi:open(HEADERFILE, "$input{'log'}") || die("error opening the file
$input{'log'}");
report2.cgi:open(HEADERFILE, "$input{'log'}") || die("error opening the file
$input{'log'}");
report2.cgi:open(HEADERFILE, "$input{'log'}") || die("error opening the file
$input{'log'}");
report2.cgi:opendir(LOGDIR, ".") || die("error");
report2.cgi:open(HEADERFILE, "categories.dat") || die("error opening the
file categories.dat");

VENDOR NOTIFICATION
*******************

Vendor is informed now with public. Not to worry, since malicious people
don't read Bugtraq.


GOBBLES LABS
GOBBLES@hushmail.com
http://www.bugtraq.org/

Top Authors In Last 30 Days

Red Hat 239 files
indoushka 139 files
Ubuntu 79 files
Gentoo 33 files
Debian 26 files
Sebastian Hamann 8 files
Jann Horn 7 files
Google Security Research 6 files
Moritz Abrell 6 files
Jaggar Henry 6 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,110)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,567)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,941)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,657)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,783)
UNIX (9,443)
UnixWare (187)
Windows (6,679)
Other

adstreamer.txt

adstreamer.txt

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

adstreamer.txt

Share This

adstreamer.txt

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems