what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

sbox-adv.txt

sbox-adv.txt
Posted Sep 25, 2003
Authored by e2fsck | Site eightone.mafiadodiva.org

sbox version 1.04, the CGI wrapper that allows for safer execution of scripts, has a path disclosure vulnerability.

tags | advisory, cgi
SHA-256 | fc5c9dad742ebccdda421f6976490552abe905fc46a6e3f379b4330516de256a
Download | Favorite | View

sbox-adv.txt

Change Mirror Download


      ---------------------------
                        EightOne Research Facility
                        ---------------------------

EORF2003-04 (security advisory)

Title: sbox has a information disclosure problems

Author: Julio "e2fsck" Cesar

Vendor: http://stein.cshl.org/WWW/software/sbox

Versions: sbox 1.04 and later

Date: 18 Sep 2003



1. Description

  sbox is a CGI wrapper that allows CGIs to be executed more safely. What
sbox does is "box" the CGI script into a secure enviroment and run it.
  EightOne Research Facility has discovered a path disclosure problem in 
sbox, which allows malicious users to know the physical path of the server 
and the username of the domain.


2. Details

  When a user makes a request to /cgi-bin directory, sbox intermediates 
this query and executes the CGI script in a restricted enviroment, but before
this execution, it makes some checking such as CGI scripts in world-writable
directories. When a query to a non-existent script in /cgi-bin is made, sbox
display an error that reveals some information that shouldn't be revealed, 
such as physical path.
  Here is an example: http://your.vulnerable.site/cgi-bin/non-existent.pl
and look what we get

-- snip --
Sbox Error
The sbox program encountered an error while processing this request. 
Please note the time of the error, anything you might have been doing at 
the time to trigger the problem, and forward the information to this 
site's Webmaster (root@your.vulnerable.site).

    Stat failed. /home/jcf/cgi-bin/a.pl: No such file or directory 

sbox version 1.04
$Id: sbox.c,v 1.9 2000/03/28 20:12:40 lstein Exp $
-- unsnip --

It revealed the username of the domain and the physical path of cgi-bin 
directory. And is possible to use the gotten username to make brute force 
attacks to guess the user's password to obtain unauthorized access.


3. Solution

  Stein Laboratory has been contacted but I haven't received any reply yet.

Thanks Despise for being this cool guy and helped us when we needed.
Sorry if there are english mistakes.

Regards,
members of EightOne.

EightOne Research Facility - http://eightone.mafiadodiva.org
Recife, PE, Brazil

Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close