I have just tried this with WebSpirs 3.1
The URL I tried is..
http://www.targethost.com/spirs/webspirs.cgi?sp.nextform=../../../../../etc/passwd
It worked.. I also tried this with WebSpirs 4.2 and it did NOT work.. I have not tried
WebSpirs 4.3 yet.. Maybe it is cause you have it in your cgi-bin.. I have it outside my
cgi-bin in a different directoty.. In fact, when you try this with WebSpirs 4.2 it
says,
Security Violation Detected, Contact your Systems Administrator.. In WebSpirs 4.2 the
way
we have it is, URL/dbname?sp.nextform=blah/blah/blah, Now if you switch the dbname with
webspirs.cgi it comes back with no data.. Using it as the
dbname?sp.nextform=../../../../etc/passwd gives a security violation message..
WebSpirs 3.1 is Vulnerable..
WebSpirs 4.2 is not.. (In WebSpirs4.2 you do not need to put iwebspirs.cgi)
WebSpirs 4.3 is not tested yet..
UkR-XblP wrote:
> ---UkR security team advisory #1
> WebSPIRS CGI script "show files" Vulnerability.
> --
>
> Name: WebSPIRS CGI script "show files" Vulnerability.
> Date: 27.01.2001
> About: WebSPIRS is SilverPlatter's Information Retrieval
> System for the World Wide Web (WWW). It is a common gateway
> interface (CGI) application which allows any forms-capable
> browser, such as Netscape, to search SilverPlatter (SP)
> Electronic Reference Library (ERL) databases available over
> the Internet. http://www.silverplatter.com.
> Problem: Problem lyes in incorrect validation of user
> submitted-by-browser information, that can show any file of
> the system where script installed.
> Aothor: UkR-XblP
> Exploit:
>www.target.com/cgi-bin/webspirs.cgi?sp.nextform=../../../../../../path/to/file
> Affected: affected in all version of this script
>
> Get your free e-mail address at http://www.zmail.ru
--
"Wise men talk because they have something to say; fools talk
because they have to say something." - Plato
Ashwin Kutty
Systems Administrator
Dalhousie University Libraries
(902) 494-2694
