Advisories : Bug in Pagelog.cgi by Metertek

main menu

- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news

discussions

- read forum
- new topic
- search

meetings

- meetings list
- recent additions
- add your info

top 100 sites

- visit top sites
- sign up now
- members

webmasters

- add your url
- add domain
- search box
- link to us

projects

- our projects
- free email

m4d network

- security software
- secureroot
- m4d.com

Home : Advisories : Bug in Pagelog.cgi by Metertek

Title:	Bug in Pagelog.cgi by Metertek
Released by:	Mark Stratman
Date:	30th October 2000
Printable version:	Click here

There is a small bug in PAGELOG.cgi by Metertek (Metertek@yahoo.com) which

allows users to create and view files.



Any file on the system with a '.log' extension readable by the uid/gid of

the webserver can be viewed. In addition, two files with extensions of

'.txt' and '.log' can be created in any directory on the system that is

writable by the web server.

This bug lies in the failure of the script to check for directory

traversal.



Proofs of concept:

Viewing '.log' file:

Create a file 'a.log' in tmp.

http://server/cgi-bin/pagelog.cgi?display=../../../../tmp/a

This will let you view a.log

Creating files:

http://server/cgi-bin/pagelog.cgi?name=../../../../../tmp/blah

This will create blah.txt and blah.log in /tmp/





The script can be found at http://members.nbci.com/metertek/archive/





cheers.

Mark Stratman (count0)

(mstrat1@uic.edu)

http://sporkstorms.org