[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Remote Web Server Text File Viewing Vulnerability in WebLibs 1.0
From:       John Bissell <monkey321_1 () hotmail ! com>
Date:       2004-12-07 21:12:35
Message-ID: 20041208034120.24684.qmail () www ! securityfocus ! com
[Download RAW message or body]



Advisory:
=========
 Remote Web Server Text File Viewing Vulnerability in WebLibs 1.0

Author:
=======
 John Bissell A.K.A. HighT1mes

Vendor Homepage:
================
 http://awsd.com/

Date:
=====
 12, 07, 2004

Severity:
=========
 High

Overview:
=========
WebLibs is a pretty popular simple little Perl script made avaiable from  Darryl C. \
Burgdorf on his site at http://awsd.com/scripts/weblibs/index.shtml. This script is \
very old and I'm surprised no one else came upon this vulnerability a while ago. \
People can install the script on there server so they can invite visitors to thier \
site to have some fun and create there own mad libs called web libs to amuse at...

Problem Details:
================
The security vulnerability as whoever is reading this might guess is caused by a lack \
of proper input validation when the weblibs.pl script reads in a static piece of \
sensitive data hidden in a hidden <INPUT> tag embedded inside the dynamically \
generated web page. This lack of input validation leads to a typical directory \
traversal attack (sometimes directory traversal isn't even needed if the web \
enviroment is setup in a particular way) that can be leveraged to read in \
non-executable text file from the vulnerable web server that the web server has \
permission. The line of Perl code that causes this vulnerability is...

open (FILE,"$FORM{'TextFile'}");

There may be a way to get local files to execute on the system or get the output from \
commands like ls -la. I haven't done any through testing so I will leave this open \
for the computer security community to look into if they wish.

Explotation:
============
To exploit this vulnerability the attacker/pen tester needs to first save a copy of \
the initial generated WebLibs page that asks for the users input so the script can \
generate the results for the user. Next after making a local copy of that page you \
need to look for the HTML <INPUT> tag that has a name="TextFile" attribute. For \
instance <INPUT type=hidden value="/some/path/to/the/weblibs/input.txt" \
name="TextFile"> 

Now simply edit the line to something other non executable server file like \
/etc/passwd or /etc/hosts etc to read sensitive private data from the vulnerable web \
server which may give the the person attacking a chance at gaining shell access to \
the web server. For example edit the HTML line mentioned above to something like \
<INPUT type=hidden value="/../../../../../etc/passwd" name="TextFile"> then save the \
file and load it up in your web browser, fill in all the form input fields hit the \
submit button and the vulnerable web server will return the contents of the text file \
requested if allowed.

Solution:
=========
 One possible solution is to not use the hidden <INPUT> tag in the generated pages \
from weblibs.pl and instead define $TextFile as a user installation variable that \
needs to be filled in only in the beginning by the script installer so the attacker \
can't easily manipulate it.

Vendor Status:
==============
 The author of this script has been notified by email of this issue...


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic