Vim Text Editor Backup File Configuration Errors May Let Remote Users View the Source Code of Web Scripts That Have Been Edited With the VIM Editor
|
Date: Dec 28 2001
|
Impact: Disclosure of user information
|
Exploit Included: Yes
|
Description: A configuration vulnerability was reported in the vim ("Vi IMproved") text editor. A remote user can view the source code of various scripts that have previously been edited using Vim.
A remote user can craft a URL to request the backup file name for a script that has been edited by the webmaster using Vim to view
the source code of the script.
It is reported that in Vim 3.0 and earlier, the 'backup' option is set by default and the original
file is renamed to a filename appended with a '.bak' extension. It is reported that in Vim 4.0 and later, the 'backup' option is
disabled by default. If enabled, the original file is reportedly renamed to a filename appended with the '~' character.
A demonstration
exploit script is available at:
http://footclan.realwarp.net/passwd.php~ (Vim 4.0 and later)
http://footclan.realwarp.net/passwd.php.bak
(Vim 3.0 and earlier)
|
Impact: A remote user may be able to view the source code of web scripts that have been previously edited using Vim on the web server.
|
Solution: Ensure that the backup configuration is turned off when editing source code files that are accessible via a web server.
|
Vendor URL: www.vim.org/ (Links to External Site)
|
Cause: Configuration error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: Chris Gragsone <maetrics@realwarp.net>
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 28 Dec 2001 01:25:25 -0500
From: Chris Gragsone <maetrics@realwarp.net>
Subject: Vim backup Source Disclosure Vulnerability
|
Vim backup Source Disclosure Vulnerability
by Chris Gragsone
Foot Clan
Date: December 27, 2001
Advisory ID: Foot-20011227
Impact of vulnerability: Source Disclosure
Exploitable: Remote
Maximum Risk: Moderate
Affected Software:
Vim
Vulnerability Description:
Vim is an improved version of the editor "vi", one of the standard text
editors on UNIX systems. Vim includes a 'backup' option, that once set
Vim renames the original file before it is overwritten. A malicous user
can request the backup name for the script bypassing the server side
processing and disclouse the script's source code.
In Vim 3.0 and earlier, the 'backup' option is set by default, and the
originial file is renamed to a filename appended with '.bak'. This
option is disabled by default in Vim 4.0 and later. However, if enabled
the original file is renamed to a filename appended with '~'. In each
case the backup file keeps the original permissions
This is not a software bug rather a misconfiguration or administrative
oversight. The specific request involved with this vulnerability cannot
belong to a legitimate connection. This vulnerability has been tested
with PHP4 on Apache, but should affect all other scripts which are
routinely edited in the manner.
Vulnerability Reproduction:
with Vim 4.0 and later: http://footclan.realwarp.net/passwd.php~
with Vim 3.0 and earlier: http://footclan.realwarp.net/passwd.php.bak
References:
http://www.vim.org/
Contact:
http://footclan.realwarp.net/
Chris Gragsone (maetrics@realwarp.net)
Disclaimer:
The contents of this advisory are copyright (c)2001 Foot Clan and may be
distributed freely provided that no fee is charged for this distribution
and proper credit is given.
|
|
