Avi Alkalay contribute.cgi/contribute.pl template Variable Arbitrary File Retrieval

2005-09-12T00:06:15
ID OSVDB:19522
Type osvdb
Reporter Sullo(sullo@cirt.net)
Modified 2005-09-12T00:06:15

Description

Vulnerability Description

Celular contribute.cgi or contribute.pl scripts contains a flaw that allows a remote attacker to traverse outside of the web path. The issue is due to the contribute.pl or contribute.cgi script not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the template variable. It's possible that multiple files can be read via the contribdir variable.

Technical Description

contribute.cgi and contribute.pl are the same CGI program with different file extensions. One may be installed as "Celular" and one as "Contribute".

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

Celular contribute.cgi or contribute.pl scripts contains a flaw that allows a remote attacker to traverse outside of the web path. The issue is due to the contribute.pl or contribute.cgi script not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the template variable. It's possible that multiple files can be read via the contribdir variable.

Manual Testing Notes

http://[victim]/cgi-bin/contribute.pl?template=/etc/passwd&contribdir=. http://[victim]/cgi-bin/contribute.cgi?template=/etc/passwd&contribdir=.

References:

Vendor URL: http://www.alkalay.net/software/ Secunia Advisory ID:16895 Related OSVDB ID: 19520 Related OSVDB ID: 19521 Related OSVDB ID: 19519 Related OSVDB ID: 19879 Other Advisory URL: http://www.cirt.net/advisories/alkalay.shtml