metasearch

`Vulnerable Program: Meta Tag Generator (meta.pl)  
Platform : UNIX  
Company : www.cgi-access.com  
Impact : Remote users can view arbitary files with httpd  
privilidges  
Found by : slackette ([email protected])  
Date : 14th November  
  
Meta Tag Generator  
__________________  
  
As quoted from their site, "You can now offer your visitors a Meta Tag  
Generator which will enable them to have their site's link ranked higher in search engine  
results."  
  
www.CGI-access.com's Meta Tag Generator, basically takes in user input for  
a description or   
keywords pertaining to a user's site. It then creates specialised tags for  
this process,   
before eventually the user submits their site to various search engines.  
  
  
Vulnerability  
_____________  
  
Meta Tag Generator uses a hard coded physical path for its output.txt.  
By editing the hidden variable on the html form, a user can view any file  
on the system,   
having the priviledges as the UID of the httpd server.  
  
The following variable within the HTML source shows this hard coded path  
to the output.txt   
in it's VALUE tag.  
  
<INPUT TYPE=HIDDEN NAME=TextFile  
VALUE="/home/cgi-access/html/meta/output.txt">  
  
Thus modifying this VALUE will cause the meta.pl form to output the  
alternate file that is   
defined by the user. Of course this will allow a remote user to view files  
such as   
/etc/passwd, if allowed read access to the file.  
  
Solution  
____________  
  
Simplest solution is to use environment variables for the output.txt in  
the meta.pl itself  
so it does not display direct hardcoded links.  
  
-= [email protected] =-  
`