[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Anaconda Foundation Directory NULL byte vulnerability

Title: Anaconda Foundation Directory NULL byte vulnerability
Released by: Synnergy
Date: 13th October 2000
Printable version: Click here 
        Synnergy Laboratories Advisory SLA-2000-17



NAME



       Anaconda Foundation Directory NULL byte vulnerability



AFFECTED



        Linux/UNIX with Anaconda Foundation Directory



SYNOPSIS



 Synnergy Labs has found a flaw within Anaconda Foundation Directory that allows a user to

 successfully traverse the filesystem on a remote host, allowing arbitary files/folders to

 be read.





DESCRIPTION



 The Anaconda Foundation Directory is a Yahoo style search engine based on the Open Directory

 project, www.dmoz.org. The Anaconda Foundation Directory allows you to dynamically integrate content into

 your site's own look and feel. This is the exact same content that Lycos features on their

 front page! Product pricing is $499 US.



 Anaconda Foundation Directory can be found at:http://anacondapartners.com/ap_afodpdemo.html



 Synnergy has recently discovered a flaw within Anaconda Foundation Directory that allows a remote

 user to traverse the filesystem as a request to the script using the $template=_some_file_. It is

 then possible to read any file contents with priviledges as the httpd.

 Although the script checks for the file extension (.htm, .html, .html, .stm) adding a trailing

 %00.html, (a NULL byte in URL encoded format), at the end of the request will force the script to

 open the file.



 Example:



 http://www.target.com/cgi-bin/apexec.pl?etype=odp&template=../../../../../../../../../etc/resolv.conf%00.html&passurl=/category/





 The above line if given will output the file contents of /etc/resolv.conf.



SOLUTION



  The vendors have been informed of the bug. It is advised to wait for the next patched version of

  Anaconda Foundation Directory to be released.





AUTHOR



        Discovery: pestilence @ synnergy.net





DISCLAIMER



        Synnergy Laboratories may not be held liable for the use or potential

        effects of these programs or advisories, nor the content contained

        within. Use them at your own risk.



COPYRIGHT



        Synnergy Laboratories -  www.synnergy.net (c) 1998-2000






(C) 1999-2000 All rights reserved.