adstreamer.txt

adstreamer.txt: Posted Dec 26, 2001; Authored by Gobbles Security | Site bugtraq.org; AdStreamer is a cgi package with several remote vulnerabilities, one of which allows remote command execution. Buggy open calls were found in addbanner.cgi, banner.cgi, bannereditor.cgi, and report2.cgi.; tags | exploit, remote, cgi, vulnerability; SHA-256 | b45aa093198822646a56eced2418259c61c1cd33a6793264a56045e50d87c79a; Download | Favorite | View

adstreamer.txt


[[ RFP's note:

I have verified this vulnerability in the current version on the site
indicated below.  The most severe problem would be that the
"$input{'cat'}.dat" open in banner.cgi would allow an attacker to run
commands (the 'cat' parameter is not double-checked/filtered in any way).
The other CGIs are less severe because they (should) be kept out of access
by the public, since they let you admin the whole banner system without
any native auth. ]]

----------------------------------------------------------------------------

PRODUCT
*******

AdStreamer
http://www.sha-la-la.com/adstreamer/

DESCRIPTION
***********

This software have many an open call that can exploited with Perl tricks
like ../, %00, |, etc.

bash-2.05$ egrep 'open|system|exec|eval' *.cgi
addbanner.cgi:#         This script is apart of the Banner Manager system.
It will add banners
addbanner.cgi:open(HEADERFILE, "banner/$thebannercat.dat") || die("error
opening the file $thebannercat.dat");
addbanner.cgi:open(HEADERFILE, ">banner/$thebannercat.dat") || die("error
opening the file $thebannercat.dat");
addbanner.cgi:  open(HEADERFILE, ">>banner/$logfile") || die("error opening
the file $logfile");
addbanner.cgi:  open(HEADERFILE, ">banner/$logfile") || die("error opening
the file $logfile");
banner.cgi:#            This script is apart of the Banner Manager system.
It adds banner
banner.cgi:open(HEADERFILE, "$input{'cat'}.dat") || die("error opening the
file $input{'cat'}.dat");
banner.cgi:open(HEADERFILE, ">$input{'cat'}.dat") || die("error opening the
file $input{'cat'}.dat");
banner.cgi:     open(HEADERFILE, ">>$logfile") || die("error opening the
file $logfile");
banner.cgi:     open(HEADERFILE, ">$logfile") || die("error opening the file
$logfile");
bannereditor.cgi:#              This script is apart of the Banner Manager
system.  It preforms banner
bannereditor.cgi:open(HEADERFILE, "titles.dat") || die("error opening the
file titles.dat");
bannereditor.cgi:       open(HEADERFILE, "$input{'cat'}.dat") || die("error
opening the file $input{'cat'}.dat");
bannereditor.cgi:       open(HEADERFILE, ">$input{'cat'}.dat") || die("error
opening the file $input{'cat'}.dat");
bannereditor.cgi:       open(HEADERFILE, "$input{'cat'}.dat") || die("error
opening the file $input{'cat'}.dat");
bannereditor.cgi:       open(HEADERFILE, "categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi:       open(HEADERFILE, ">categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi:       open(HEADERFILE, ">ref.dat") || die("error opening
the file ref.dat");
bannereditor.cgi:       open(HEADERFILE, ">titles.dat") || die("error
opening the file titles.dat");
bannereditor.cgi:       open(HEADERFILE, "categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi:               open(HEADERFILE, "$cat.dat") || die("error
opening the file $cat.dat");
bannereditor.cgi:               open(HEADERFILE, ">$cat.dat") || die("error
opening the file $cat.dat");
bannereditor.cgi:       open(HEADERFILE, "categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi:               open(HEADERFILE, "$cat.dat") || die("error
opening the file $cat.dat");
bannereditor.cgi:       open(HEADERFILE, ">>ref.dat") || die("error opening
the file ref.dat");
bannereditor.cgi:       open(HEADERFILE, ">>titles.dat") || die("error
opening the file titles.dat");
bannereditor.cgi:       open(HEADERFILE, "categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi:       open(HEADERFILE, "categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi:                       open(HEADERFILE, "$cat.dat") ||
die("error opening the file $cat.dat");
bannereditor.cgi:                       open(HEADERFILE, ">>$cat.dat") ||
die("error opening the file $cat.dat");
bannereditor.cgi:       open(HEADERFILE, ">$input{'newcat'}.dat") ||
die("error opening the file $input{'newcat'}.dat");
bannereditor.cgi:       open(HEADERFILE, ">>categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi:       open(HEADERFILE, "categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi:               open(HEADERFILE, "$cat.dat") || die("error
opening the file $cat.dat");
bannereditor.cgi:       open(HEADERFILE, "categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi:       open(HEADERFILE, "ref.dat") || die("error opening
the file ref.dat");
jump.cgi:#              This script is apart of the Banner Manager system.
It recieves every
jump.cgi:open(HEADERFILE, "ref.dat") || die("error opening the file
ref.dat");
jump.cgi:               open(HEADERFILE, ">>$logfile") || die("error opening
the file $logfile");
jump.cgi:               open(HEADERFILE, ">$logfile") || die("error opening
the file $logfile");
report2.cgi:#           This script is apart of the Banner Manager system.
It generates reports
report2.cgi:open(HEADERFILE, "titles.dat") || die("error opening the file
titles.dat");
report2.cgi:opendir(LOGDIR, ".") || die("error");
report2.cgi:    open(HEADERFILE, "$file.log") || die("error opening the file
$file.log");
report2.cgi:opendir(LOGDIR, ".") || die("error");
report2.cgi:    open(HEADERFILE, "$file.log") || die("error opening the file
$file.log");
report2.cgi:opendir(LOGDIR, ".") || die("error");
report2.cgi:    open(HEADERFILE, "$file.log") || die("error opening the file
$file.log");
report2.cgi:open(HEADERFILE, "categories.dat") || die("error opening the
file categories.dat");
report2.cgi:opendir(LOGDIR, ".") || die("error");
report2.cgi:open(HEADERFILE, "categories.dat") || die("error opening the
file categories.dat");
report2.cgi:open(HEADERFILE, "$input{'log'}") || die("error opening the file
$input{'log'}");
report2.cgi:open(HEADERFILE, "$input{'log'}") || die("error opening the file
$input{'log'}");
report2.cgi:open(HEADERFILE, "$input{'log'}") || die("error opening the file
$input{'log'}");
report2.cgi:opendir(LOGDIR, ".") || die("error");
report2.cgi:open(HEADERFILE, "categories.dat") || die("error opening the
file categories.dat");

VENDOR NOTIFICATION
*******************

Vendor is informed now with public. Not to worry, since malicious people
don't read Bugtraq.


GOBBLES LABS
GOBBLES@hushmail.com
http://www.bugtraq.org/

Top Authors In Last 30 Days

Red Hat 240 files
indoushka 87 files
Ubuntu 85 files
Debian 22 files
LiquidWorm 21 files
Gentoo 8 files
Google Security Research 8 files
malvuln 5 files
Seth Jenkins 4 files
Emiliano Febbi 4 files

File Archives

Systems

AIX (430)
Apple (2,117)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,147)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,599)
HPUX (881)
iOS (391)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,669)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,125)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,946)
UNIX (9,470)
UnixWare (188)
Windows (6,784)
Other

adstreamer.txt

adstreamer.txt

File Archive:

October 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

adstreamer.txt

Share This

adstreamer.txt

File Archive:

October 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems