TUCoPS :: Web :: Apps :: bt1209.txt

sbox path disclosure problem




			---------------------------

                        EightOne Research Facility

                        ---------------------------



EORF2003-04 (security advisory)



Title: sbox has a information disclosure problems



Author: Julio "e2fsck" Cesar



Vendor: http://stein.cshl.org/WWW/software/sbox



Versions: sbox 1.04 and later



Date: 18 Sep 2003







1. Description



  sbox is a CGI wrapper that allows CGIs to be executed more safely. What

sbox does is "box" the CGI script into a secure enviroment and run it.

  EightOne Research Facility has discovered a path disclosure problem in 

sbox, which allows malicious users to know the physical path of the server 

and the username of the domain.





2. Details



  When a user makes a request to /cgi-bin directory, sbox intermediates 

this query and executes the CGI script in a restricted enviroment, but before

this execution, it makes some checking such as CGI scripts in world-writable

directories. When a query to a non-existent script in /cgi-bin is made, sbox

display an error that reveals some information that shouldn't be revealed, 

such as physical path.

  Here is an example: http://your.vulnerable.site/cgi-bin/non-existent.pl

and look what we get



-- snip --

Sbox Error

The sbox program encountered an error while processing this request. 

Please note the time of the error, anything you might have been doing at 

the time to trigger the problem, and forward the information to this 

site's Webmaster (root@your.vulnerable.site).



    Stat failed. /home/jcf/cgi-bin/a.pl: No such file or directory 



sbox version 1.04

$Id: sbox.c,v 1.9 2000/03/28 20:12:40 lstein Exp $

-- unsnip --



It revealed the username of the domain and the physical path of cgi-bin 

directory. And is possible to use the gotten username to make brute force 

attacks to guess the user's password to obtain unauthorized access.





3. Solution



  Stein Laboratory has been contacted but I haven't received any reply yet.



Thanks Despise for being this cool guy and helped us when we needed.

Sorry if there are english mistakes.



Regards,

members of EightOne.



EightOne Research Facility - http://eightone.mafiadodiva.org

Recife, PE, Brazil

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH