SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Report a Bug
Report a vulnerability that you have found to SecurityTracker -- bugs@securitytracker.com
Questions?
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
Sign Up!





Category:  Application (Web Server/CGI)  >  Agora.cgi Vendors:  [Multiple Authors/Vendors]
Agora.cgi E-Commerce System Discloses Path Names to Remote Users When in Debug Mode
Date:  Jan 29 2002
Impact:  Disclosure of system information
Exploit Included:  Yes  
Description:  An information disclosure vulnerability was reported in Agora.cgi. A remote user can view the path name of the Agora.cgi installation if the server is configured in debug mode.

The following type of URL can reportedly be used to trigger the vulnerability:

http://agoracgistorehost/cgi-bin/store/agora.cgi?page=non-existent-file.html

This type of URL will return the absolute path of the installation, as shown below:

ERROR:FILE OPEN ERROR-./html/pages/non-existent-file.html
FILE: /home/httpd/cgi-bin/store/agora.cgi
LINE: 1114
Impact:  A remote user can obtain information about the installation path of Agora.cgi on the server.
Solution:  The vendor reportedly recommends that live stores should not be run in debug mode.
Vendor URL:  www.agoracgi.com (Links to External Site)
Cause:  Configuration error
Underlying OS:  Linux (Any), UNIX (Any)
Reported By:  superpetz@hushmail.com
Message History:   This archive entry has one or more follow-up message(s) listed below.
Feb 14 2002 (Vendor Responds) Re: Agora.cgi E-Commerce System Discloses Path Names to Remote Users When in Debug Mode   (Steve Kneizys <skneizys@yahoo.com>)
The vendor has responded to the bug report.


 Source Message Contents
Date:  Mon, 28 Jan 2002 17:28:02 -0800
From:  superpetz@hushmail.com
Subject:  [SUPERPETZ ADVISORY #001 - agora.cgi Secret Path Disclosure Vulnerability]

 


[SUPERPETZ ADVISORY #001 - agora.cgi Secret Path Disclosure Vulnerability]

 oO ____.
{+_'____.=== 
   /\  /\


TITLE: agora.cgi Secret Path Disclosure Vulnerability
-----

discovery date: January 28th, 2002. 
--------------

publication date: January 28th, 2002.
----------------

impact: sub-minor
------

local: nada
-----

remote: yes!
------

introduction:
------------

agora.cgi is a special "jazzed up" shopping cart product written by Steve Kneizys. If you w
anna have fun, you can make a special store
 that sells pretend contraband blank US passports, like I did.

Check it out here:

http://www.agoracgi.com/

background:
----------

This is what is known as a path disclosure vulnerability.  It is not terribly exciting. The general i
dea behind this issue is that
 an error page is giving out some potentially sensitive information.  Sometimes this information is a
ctionable, other times it is
 totally "big whup!".  Regardless, it is just a bad policy for a CGI to spew out sensitive 
information of any variety. 

details:
-------

This issue can be easily reproduced.  It appears to only be an issue in debug mode.  Ideally, live st
ores will not have debug mode
 on, but you never know... by the vendor's own admission, he accidentally had his own site running in
 debug mode.

I enter the following URL:

http://agoracgistorehost/cgi-bin/store/agora.cgi?page=pretendpage.html

(please note: pretendpage.html represents a non-existent .html file.  It does not represent a cheeky 
pretend product page, like for
 example the one I made for contraband black market passports.) 

I get the following feedback (yay!):

ERROR:FILE OPEN ERROR-./html/pages/pretendpage.html
FILE: /home/httpd/cgi-bin/store/agora.cgi
LINE: 1114

This shows the absolute path to the cgi-bin directory that agora.cgi is located in. 

Please consider that agora.cgi is not a dumb program.  It does not like my attempts to feed the "
?page=" parameter with a directory
 traversal or a file that does not have a .htm/.html extension.  It just has a tendency to blab the a
bsolute path.  My discovery of
 this vulnerability is purely coincidental.  I tried the more malicious type stuff after finding it.

workarounds/solutions:
---------------------

Do not run your agora.cgi store in debug mode. 

vendor response:
---------------

The vendor provided a courteous and timely response to this issue.  He mentioned a cross-site scripti
ng issue with the debug mode.
  No mention of a fix.  Just advises me not to run the program in debug mode.

terms of vulnerability disclosure:
---------------------------------

The vendor did not cause me headaches or nosebleeds.  The issue is really minor and conditional with 
a sufficient workaround to mitigate
 the problem.  Based on this criteria I decided to disclose immediately.

copyright:
---------

I don't care if you copy this in whole or in part. Don't matter much to me.

contact:
-------

superpetz@hushmail.com


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC