Local file exposure in Moreover.com's Cached_Feed.cgi ------------------------------------------------------------------------ SUMMARY A vulnerability in Moreover.com <http://www.moreover.com/dev/cache/> cached_feed.cgi allows remote attackers to read local files via the CGI. The vulnerability occurs due to inappropriate input checks. DETAILS Vulnerable systems: Cached_Feed.cgi version 1.0 Immune systems: Cached_Feed.cgi version 2.0 The cached_feed CGI supplied by Moreover.com is used to retrieve news headlines from the Moreover.com site, and then store them for retrieval and display within your own local web site. The program accepts two arguments on the QUERY_STRING; The news category to retrieve, and the format the headlines should be returned in. The two arguments are supplied to the CGI using a raw query string in the form 'category+format' which in turn becomes $ARGV: $category = @ARGV[0]; $format = @ARGV[1]; These two lines comprise the bulk of the data validation performed by the CGI. Here's the flaw in the source: # Constants $base_dir = "."; $cache_dir = "$base_dir/cached_newsfeeds"; $cache_file = "$cache_dir/".$category.".".$format; And a little later on... if ($age < $cache_time) { $feed = &obtain_file($cache_file); } The 'obtain_file' function reads the file specified and returns it's contents. The CGI wraps up by printing the contents of the file back to the browser. '$cache_time' defaults to 15 minutes. This limits the functionality of the exploit a bit, as the targeted file needs to have been created or modified in the last 15 minutes. Therefore, if your password file has been modified within the last 15 minutes, the obvious exploit for this flaw will allow an intruder to retrieve the file. The file will also be retrieved if the CGI is unable to contact the Moreover server or if the Moreover server takes longer than 30 seconds to respond. A crafty intruder could potentially induce such a delay using a ping flood against the victim host. Exploit: http://www.example.com/cgi-bin/cached_feed.cgi?../../../.+/etc/passwd -- Eko Sulistiono MIKRODATA & AntiVirus Media Web: http://www.mikrodata.co.id/ WAP: http://www.mikrodata.co.id/wap/index.wml This message contains no viruses. Guaranteed by AVP. ------------------------------------------------------------------------ Forum Komunikasi Penulis-Pembaca MIKRODATA (FKPPM) Informasi : http:[EMAIL PROTECTED] Arsip : http://www.mail-archive.com/forum%40mikrodata.co.id/ WAP : http://mikrodata.co.id/wap/index.wml Milis ini menjadi kontribusi beberapa rubrik yang diasuh tim MIKRODATA. Termasuk rubrik-rubrik yang ada di media lain. Memakai, Menyebarluaskan, dan Memperbanyak software bajakan adalah tindakan kriminal. Please check with the latest AVP update before you ask about virus: ftp://mikrodata.co.id/avirus_&_security/AntiViral_Toolkit_Pro/avp30.zip
