SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Web Server/CGI)  >   Agora.cgi Vendors:   [Multiple Authors/Vendors]
Agora.cgi E-Commerce System Discloses Path Names to Remote Users When in Debug Mode
SecurityTracker Alert ID:  1003387
SecurityTracker URL:  http://securitytracker.com/id/1003387
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 29 2002
Impact:   Disclosure of system information
Exploit Included:  Yes  

Description:   An information disclosure vulnerability was reported in Agora.cgi. A remote user can view the path name of the Agora.cgi installation if the server is configured in debug mode.

The following type of URL can reportedly be used to trigger the vulnerability:

http://agoracgistorehost/cgi-bin/store/agora.cgi?page=non-existent-file.html

This type of URL will return the absolute path of the installation, as shown below:

ERROR:FILE OPEN ERROR-./html/pages/non-existent-file.html
FILE: /home/httpd/cgi-bin/store/agora.cgi
LINE: 1114
Impact:   A remote user can obtain information about the installation path of Agora.cgi on the server.
Solution:   The vendor reportedly recommends that live stores should not be run in debug mode.
Vendor URL:  www.agoracgi.com (Links to External Site)
Cause:   Configuration error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Vendor Responds) Re: Agora.cgi E-Commerce System Discloses Path Names to Remote Users When in Debug Mode   (Steve Kneizys <skneizys@yahoo.com>)
The vendor has responded to the bug report.


 Source Message Contents
Date:  Mon, 28 Jan 2002 17:28:02 -0800
Subject:  [SUPERPETZ ADVISORY #001 - agora.cgi Secret Path Disclosure Vulnerability]



[SUPERPETZ ADVISORY #001 - agora.cgi Secret Path Disclosure Vulnerability]

 oO ____.
{+_'____.=== 
   /\  /\


TITLE: agora.cgi Secret Path Disclosure Vulnerability
-----

discovery date: January 28th, 2002. 
--------------

publication date: January 28th, 2002.
----------------

impact: sub-minor
------

local: nada
-----

remote: yes!
------

introduction:
------------

agora.cgi is a special "jazzed up" shopping cart product written by Steve Kneizys. If you wanna have fun, you can make a special store
 that sells pretend contraband blank US passports, like I did.

Check it out here:

http://www.agoracgi.com/

background:
----------

This is what is known as a path disclosure vulnerability.  It is not terribly exciting. The general idea behind this issue is that
 an error page is giving out some potentially sensitive information.  Sometimes this information is actionable, other times it is
 totally "big whup!".  Regardless, it is just a bad policy for a CGI to spew out sensitive information of any variety. 

details:
-------

This issue can be easily reproduced.  It appears to only be an issue in debug mode.  Ideally, live stores will not have debug mode
 on, but you never know... by the vendor's own admission, he accidentally had his own site running in debug mode.

I enter the following URL:

http://agoracgistorehost/cgi-bin/store/agora.cgi?page=pretendpage.html

(please note: pretendpage.html represents a non-existent .html file.  It does not represent a cheeky pretend product page, like for
 example the one I made for contraband black market passports.) 

I get the following feedback (yay!):

ERROR:FILE OPEN ERROR-./html/pages/pretendpage.html
FILE: /home/httpd/cgi-bin/store/agora.cgi
LINE: 1114

This shows the absolute path to the cgi-bin directory that agora.cgi is located in. 

Please consider that agora.cgi is not a dumb program.  It does not like my attempts to feed the "?page=" parameter with a directory
 traversal or a file that does not have a .htm/.html extension.  It just has a tendency to blab the absolute path.  My discovery of
 this vulnerability is purely coincidental.  I tried the more malicious type stuff after finding it.

workarounds/solutions:
---------------------

Do not run your agora.cgi store in debug mode. 

vendor response:
---------------

The vendor provided a courteous and timely response to this issue.  He mentioned a cross-site scripting issue with the debug mode.
  No mention of a fix.  Just advises me not to run the program in debug mode.

terms of vulnerability disclosure:
---------------------------------

The vendor did not cause me headaches or nosebleeds.  The issue is really minor and conditional with a sufficient workaround to mitigate
 the problem.  Based on this criteria I decided to disclose immediately.

copyright:
---------

I don't care if you copy this in whole or in part. Don't matter much to me.

contact:
-------

superpetz@hushmail.com


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC