PerlCal (CGI) show files vulnerability

2001-04-28T00:00:00
ID SECURITYVULNS:DOC:1563
Type securityvulns
Reporter Securityvulns
Modified 2001-04-28T00:00:00

Description

[whizkunde security advisory: PerlCal (CGI)] http://www.whizkunde.org | stan@whizkunde.org


Release date: April 27th 2001

Subject: PerlCal (CGI) security problem

Systems affected: *NIX (not windows) systems running PerlCal CGI script

Vendor: http://www.perlcal.com

  1. problem cal_make.pl of the PerlCal script may allow remote users (website visitors) to view any file on a webserver (depending on the user the webserver is running on).

Regard this URL:

http://www.VULNERABLE.com/cgi-bin/cal_make.pl? p0=../../../../../../../../../../../../etc/passwd%00 This will display the /etc/passwd (if the webserver user has access to this file).

  1. fix I warned the PerlCal vendor three weeks ago. After a reaction, I gave him some time and tips to release a fix. Because the vendor still hasn't fixed the problem and because he didn't notice me why he hasn't released a patch yet, I released this advisory. I really hope the vendor will release a patch in the very near future. In the meantime it might be a good idea to just chmod 000 your PerlCal scripts.

Stan a.k.a. ThePike stan@whizkunde.org http://www.whizkunde.org

Copyright whizkunde security team 2001