CGI vulnerability found in meta.pl that allows a remote user.to view files on the system as the UID of the httpd server.
b7f7521aa7e1a5c8863f05860d8a9ccf5f935deae7fdd07e63ddbf8b161b997c
Vulnerable Program: Meta Tag Generator (meta.pl)
Platform : UNIX
Company : www.cgi-access.com
Impact : Remote users can view arbitary files with httpd
privilidges
Found by : slackette (warminx@null.rewted.org)
Date : 14th November
Meta Tag Generator
__________________
As quoted from their site, "You can now offer your visitors a Meta Tag
Generator which will enable them to have their site's link ranked higher in search engine
results."
www.CGI-access.com's Meta Tag Generator, basically takes in user input for
a description or
keywords pertaining to a user's site. It then creates specialised tags for
this process,
before eventually the user submits their site to various search engines.
Vulnerability
_____________
Meta Tag Generator uses a hard coded physical path for its output.txt.
By editing the hidden variable on the html form, a user can view any file
on the system,
having the priviledges as the UID of the httpd server.
The following variable within the HTML source shows this hard coded path
to the output.txt
in it's VALUE tag.
<INPUT TYPE=HIDDEN NAME=TextFile
VALUE="/home/cgi-access/html/meta/output.txt">
Thus modifying this VALUE will cause the meta.pl form to output the
alternate file that is
defined by the user. Of course this will allow a remote user to view files
such as
/etc/passwd, if allowed read access to the file.
Solution
____________
Simplest solution is to use environment variables for the output.txt in
the meta.pl itself
so it does not display direct hardcoded links.
-= warminx@null.rewted.org =-