[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Webteachers Webdata: Importing files lower than web root possible in to database

Title: Webteachers Webdata: Importing files lower than web root possible in to database
Released by: Delphis Consulting Plc
Date: 26th September 2000
Printable version: Click here 
============================================================================

    Delphis Consulting Plc

============================================================================



   Security Team Advisories

       [26/09/2000]



    securityteam@delphisplc.com

  [http://www.delphisplc.com/thinking/whitepapers/]



============================================================================

Adv     :       DST2K0039

Title   :       Webteachers Webdata: Importing files lower than web root

possible in to database

Author  :       DCIST (securityteam@delphisplc.com)

O/S     :       Linux / WindowsNT

Product :       Webteachers WebData

Date    :       26/09/2000



I.    Description



II.   Solution



III.  Vendor Comments



IV.   Disclaimer





============================================================================



I. Description

============================================================================



Vendor URL: http://webteacher.com/webdata/



Delphis Consulting Internet Security Team (DCIST) discovered the following

vulnerability in WebData under Linux (although not tested under WindowsNT

we would expect the same results).



Severity: Medium (due to the fact that you need an account in WebData)



It is possible to import any file (i.e. /etc/passwd) from the file system

which the Webserver user (i.e. nobody) has access to in to the WebData

database. This enables potenial attackers to gain access to the contents

of a number of key files (i.e. hosts.allow / hosts.deny .etc) by browsing

the database afterwards.



Note: You need at least a member account to perform this action.



The below script won't just work but will require a little brain power

to get working with your database. This enables a user to import

anonymously any file that the web user has access to.



example script:


http://127.0.0.1/cgi-bin/webdata_test.pl" method="post">




Is the file comma or tab delimited?

















II. Solution

============================================================================



Vendor Status: Informed



Currently there us no known solution to this problem. Delphis have provided

a patch to the perl script below:



[root@dcist cgi-bin]# diff webdata_new.pl webdata_old.pl

9d8

< $webroot='/home/httpd/html/';

4069,4075c4068

<     if (length($user_data{pathname})>0) { # is the user using this method

<       $olddata = $user_data{pathname}; # store this so we have it for

later

<       $user_data{pathname} = $webroot . $user_data{pathname};

<       $user_data{pathname} =~ s/\.\.//g; # strip out all double dots

<     }

<     print " [$user_data{pathname}] ";

<     open (FIELDS,"<$fieldnames") or &error("could not open $fieldnames");



---

>     open (FIELDS,"<$fieldnames") or &error('could not open $fieldnames');

4095c4088

<     open (FILE,"<$user_data{pathname}") or &error("Could not open

$olddata");

---

>     open (FILE,"<$user_data{pathname}") or &error("Could not open

$user_data{pathname}");



III. Vendor Comments

============================================================================



Thank you for the security advise.  We will make the patch in the next

release. Most likely, the patch will simply require the imported file to

be in the "uploads" directory, to which Webdata already has an absolute

path, and no slashes will be permitted in the filename.



IV. Disclaimer

============================================================================

THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE ACCURATE AT

THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR

IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS.  NEITHER THE AUTHOR NOR THE

PUBLISHER ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR

CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE

PLACED ON, THIS INFORMATION FOR ANY PURPOSE.

============================================================================

This e-mail and any files transmitted with it are intended solely for the

addressee and are confidential. They may also be legally

privileged.Copyright in them is reserved by Delphis Consulting PLC

["Delphis"] and they must not be disclosed to, or used by, anyone other than

the addressee.If you have received this e-mail and any accompanying files in

error, you may not copy, publish or use them in any way and you should

delete them from your system and notify us immediately.E-mails are not

secure.  Delphis does not accept responsibility for changes to e-mails that

occur after they have been sent.  Any opinions expressed in this e-mail may

be personal to the author and may not necessarily reflect the opinions of

Delphis






(C) 1999-2000 All rights reserved.