MultiHTML.txt

2000-09-15T00:00:00
ID PACKETSTORM:23116
Type packetstorm
Reporter Niels Heinen
Modified 2000-09-15T00:00:00

Description

                                        
                                            `Title : MultiHTML vulnerability.  
Description : Retrieve files from the server.  
Vendor status : Notified and a new (not much improved) script is released.  
  
  
Short description of the tool:  
==============================  
  
MultiHTML allows you to put an SSI call where you want the HTML file to  
be displayed.  
The SSI executes the MultiHTML program which displays whatever HTML file  
you have it set to  
display. The main reason i'm posting this is because of the fact that  
this script is offerd  
by many lets-expand-our-cgi-bins-to-make-us-look-good isp's.  
  
  
The problems  
============  
  
The cgi script checks the extentions of the requested file to see if it  
is ok. This easily can be  
tricked by using %00 ( Olaf Kirch )  
  
http://localhost/cgi-bin/multihtml.pl?multi=/etc/passwd%00html  
  
further their is no dcumentroot specified in the script so we do not  
need to use the ../../ here  
because their is access to every directory on the system in question  
(lame). Even if their was a  
documentroot and they would filter the dots then you would have to make  
sure that the script does  
not contain any higher directory's. Because the open(FILE, "$multi")  
functions in the script makes  
it easy to bypass .htaccess files.  
  
  
The solution:  
=============  
  
Be a man and learn how to use ssi without a script. Or beg someone to  
write a new one ;)  
  
  
Greets  
  
  
zillion  
  
`