Avi Alkalay contribute.cgi/contribute.pl template Variable Arbitrary File Retrieval
2005-09-12T00:06:15
ID OSVDB:19522 Type osvdb Reporter Sullo(sullo@cirt.net) Modified 2005-09-12T00:06:15
Description
Vulnerability Description
Celular contribute.cgi or contribute.pl scripts contains a flaw that allows a remote attacker to traverse outside of the web path. The issue is due to the contribute.pl or contribute.cgi script not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the template variable. It's possible that multiple files can be read via the contribdir variable.
Technical Description
contribute.cgi and contribute.pl are the same CGI program with different file extensions. One may be installed as "Celular" and one as "Contribute".
Solution Description
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.
Short Description
Celular contribute.cgi or contribute.pl scripts contains a flaw that allows a remote attacker to traverse outside of the web path. The issue is due to the contribute.pl or contribute.cgi script not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the template variable. It's possible that multiple files can be read via the contribdir variable.
{"edition": 1, "title": "Avi Alkalay contribute.cgi/contribute.pl template Variable Arbitrary File Retrieval", "bulletinFamily": "software", "published": "2005-09-12T00:06:15", "lastseen": "2017-04-28T13:20:16", "history": [], "modified": "2005-09-12T00:06:15", "reporter": "Sullo(sullo@cirt.net)", "hash": "7193b3dc3b90a1e138f3b72142550364c1be52034db4e396a979aeaf638f22f7", "viewCount": 0, "href": "https://vulners.com/osvdb/OSVDB:19522", "description": "## Vulnerability Description\nCelular contribute.cgi or contribute.pl scripts contains a flaw that allows a remote attacker to traverse outside of the web path. The issue is due to the contribute.pl or contribute.cgi script not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the template variable. It's possible that multiple files can be read via the contribdir variable.\n## Technical Description\ncontribute.cgi and contribute.pl are the same CGI program with different file extensions. One may be installed as \"Celular\" and one as \"Contribute\".\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nCelular contribute.cgi or contribute.pl scripts contains a flaw that allows a remote attacker to traverse outside of the web path. The issue is due to the contribute.pl or contribute.cgi script not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the template variable. It's possible that multiple files can be read via the contribdir variable.\n## Manual Testing Notes\nhttp://[victim]/cgi-bin/contribute.pl?template=/etc/passwd&contribdir=.\nhttp://[victim]/cgi-bin/contribute.cgi?template=/etc/passwd&contribdir=.\n## References:\nVendor URL: http://www.alkalay.net/software/\n[Secunia Advisory ID:16895](https://secuniaresearch.flexerasoftware.com/advisories/16895/)\n[Related OSVDB ID: 19520](https://vulners.com/osvdb/OSVDB:19520)\n[Related OSVDB ID: 19521](https://vulners.com/osvdb/OSVDB:19521)\n[Related OSVDB ID: 19519](https://vulners.com/osvdb/OSVDB:19519)\n[Related OSVDB ID: 19879](https://vulners.com/osvdb/OSVDB:19879)\nOther Advisory URL: http://www.cirt.net/advisories/alkalay.shtml\n", "affectedSoftware": [{"name": "contribute.cgi", "version": "16 Jun 2002", "operator": "eq"}, {"name": "contribute.pl", "version": "16 Jun 2002", "operator": "eq"}], "type": "osvdb", "hashmap": [{"key": "affectedSoftware", "hash": "f92f475a10e3716c45aacf56defb083b"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "d39e37d9d5afdb9a392540d6d2021e00"}, {"key": "href", "hash": "7805cb595bebf393587057c29fb19de5"}, {"key": "modified", "hash": "b049bdc88f1da8839ed3c2a0d719e725"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "b049bdc88f1da8839ed3c2a0d719e725"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "65432e349a5db491a3b260b8bdfb20f4"}, {"key": "title", "hash": "defced618fcdb1d4c7df4f69750a5193"}, {"key": "type", "hash": "1327ac71f7914948578f08c54f772b10"}], "references": [], "objectVersion": "1.2", "enchantments": {"score": {"vector": "NONE", "value": 5.0}, "dependencies": {"references": [], "modified": "2017-04-28T13:20:16"}, "vulnersScore": 5.0}, "cvss": {"vector": "NONE", "score": 0.0}, "cvelist": [], "id": "OSVDB:19522"}