exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

sbox-adv.txt

sbox-adv.txt
Posted Sep 25, 2003
Authored by e2fsck | Site eightone.mafiadodiva.org

sbox version 1.04, the CGI wrapper that allows for safer execution of scripts, has a path disclosure vulnerability.

tags | advisory, cgi
SHA-256 | fc5c9dad742ebccdda421f6976490552abe905fc46a6e3f379b4330516de256a

sbox-adv.txt

Change Mirror Download


---------------------------
EightOne Research Facility
---------------------------

EORF2003-04 (security advisory)

Title: sbox has a information disclosure problems

Author: Julio "e2fsck" Cesar

Vendor: http://stein.cshl.org/WWW/software/sbox

Versions: sbox 1.04 and later

Date: 18 Sep 2003



1. Description

sbox is a CGI wrapper that allows CGIs to be executed more safely. What
sbox does is "box" the CGI script into a secure enviroment and run it.
EightOne Research Facility has discovered a path disclosure problem in
sbox, which allows malicious users to know the physical path of the server
and the username of the domain.


2. Details

When a user makes a request to /cgi-bin directory, sbox intermediates
this query and executes the CGI script in a restricted enviroment, but before
this execution, it makes some checking such as CGI scripts in world-writable
directories. When a query to a non-existent script in /cgi-bin is made, sbox
display an error that reveals some information that shouldn't be revealed,
such as physical path.
Here is an example: http://your.vulnerable.site/cgi-bin/non-existent.pl
and look what we get

-- snip --
Sbox Error
The sbox program encountered an error while processing this request.
Please note the time of the error, anything you might have been doing at
the time to trigger the problem, and forward the information to this
site's Webmaster (root@your.vulnerable.site).

Stat failed. /home/jcf/cgi-bin/a.pl: No such file or directory

sbox version 1.04
$Id: sbox.c,v 1.9 2000/03/28 20:12:40 lstein Exp $
-- unsnip --

It revealed the username of the domain and the physical path of cgi-bin
directory. And is possible to use the gotten username to make brute force
attacks to guess the user's password to obtain unauthorized access.


3. Solution

Stein Laboratory has been contacted but I haven't received any reply yet.

Thanks Despise for being this cool guy and helped us when we needed.
Sorry if there are english mistakes.

Regards,
members of EightOne.

EightOne Research Facility - http://eightone.mafiadodiva.org
Recife, PE, Brazil

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close