--ZoaI/ZTpAVc4A5k6
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
SUMMARY
======
A directory traversal vulnerability exists in the Ars Digita Community
System. A remote attacker could exploit this vulnerability to read
arbitrary files with the permissions of the web server.
AFFECTED SOFTWARE
================
* Ars Digita Community System (ACS) 3.4.9, 3.4.10, and probably earlier
versions
* Ars Digita Community Education Solution (ACES) 1.1
UNAFFECTED
=========
* OpenACS all versions
* Ars Digita Community System (ACS) 4.2
* ACS-Java 3.4, 4.0, 4.7.4
IMPACT
=====
A remote attacker could exploit this vulnerability to read sensitive
files on the affected system. Possible targets could include files
containing passwords, private keys for SSL certificates, and web server
logs.
DETAILS
======
RFC2396 permits the use of escaped characters in a URI string,
consisting of a percent sign followed by two hexadecimal digits
corresponding to the ASCII value of the character. For example, a space
would be encoded as %20.
The unencoding of these values is typically handled by the web server.
Affected versions of ACS perform their own decoding operation after
that done by the web server, so that URIs containing %25, the encoded
form of the percent character, are decoded twice.
Web servers traditionally also perform sanity checks on URLs to prevent
them from accessing files in the directory tree outside of the web
server's configured root directory. One of the most common restricted
sequences is "../", which refers to the parent directory of the current
working directory.
Because the second URI decoding that ACS performs occurs after the
sanity checks done by the web server, encoded forms of "../" are not
properly escaped, leading to the possibility of URIs that access files
outside of the web server's root directory.
SOLUTION
=======
In the request-processor-procs.tcl file, replace the line
set url [ns_urldecode [ns_conn url]]
with
set url [ns_conn url]
EXPLOIT
======
This example will retrieve the UNIX password file from a vulnerable
host with a web root fewer than 8 directories deep from the root
directory.
http://target.tld/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/etc/passwd
ACKNOWLEDGMENTS
==============
Thanks to Eve Andersson for finding the source of the bug in the
application code and providing a fix.
Thanks to the OpenACS development team for helping confirm their
software is not vulnerable.
--
Elliot Kendall
Network Security Engineer
Brandeis University
--ZoaI/ZTpAVc4A5k6
Content-Type: application/x-pkcs7-signature
Content-Disposition: attachment; filename="smime.p7s"
Content-Transfer-Encoding: base64
MIIItAYJKoZIhvcNAQcCoIIIpTCCCKECAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
BiswggLkMIICTaADAgECAhBggvMqYGnmWTL8QHFRd45JMA0GCSqGSIb3DQEBBQUAMGIxCzAJ
BgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYD
VQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTAeFw0wNjExMjIxOTA3
MzJaFw0wNzExMjIxOTA3MzJaMEcxHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIx
JDAiBgkqhkiG9w0BCQEWFWVrZW5kYWxsQGJyYW5kZWlzLmVkdTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAO9eDtuy41oKi2lWSjfmLhH9Essvghz1h96Hqdh+AYkEz1wEJWG5
ovCDBzrekBdRkXB8vN1p8CV4jfyI2u2Ahrbiv33h45ComeVKMc1lUmMTdICfe5SHzj0+0fK2
G2dUHS6t5CEG2Dy1pZBN3+4dyun3VkkYGJB6IYuvGVxwH8YUw8Dc/SmWBOtLTPjDZ8kZVQyC
o+rzDVGFNJVYmjOy9+n0EEgVgNTmgAQGSlWFpR7jnBgjB0ppicKQse9sj/OW33cCHYmcxO85
pYySx+glldHfUiHD2YqNiMOjiBF0n/Q9kLQh/IyzVbRue5efYvwCGSsjb3LBVAHg6JPg+Rcq
zpECAwEAAaMyMDAwIAYDVR0RBBkwF4EVZWtlbmRhbGxAYnJhbmRlaXMuZWR1MAwGA1UdEwEB
/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAmZlx5KZcqutjgUk1vgyPtnx/ptHdLo8iHiyVGrSj
5Hc/zl4+QOLHBQU/0NCAkzPQFSl/LUQYsMefBo9enPIY79OUFO9gThclvpr3WmghB+agvVxf
Skm4VoxKsWtrBX46FDafeRuCGdRxvR1IhT0sc7Un7Rc1J5OitkVwxegEsj8wggM/MIICqKAD
AgECAgENMA0GCSqGSIb3DQEBBQUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVy
biBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5n
MSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtU
aGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZy
ZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDMwNzE3MDAwMDAwWhcNMTMwNzE2MjM1OTU5WjBiMQsw
CQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoG
A1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAMSmPFVzVftOucqZWh5owHUEcJ3f6f+jHuy9zfVb8hp2vX8MOmHy
v1HOAdTlUAow1wJjWiyJFXCO3cnwK4Vaqj9xVsuvPAsH5/EfkTYkKhPPK9Xzgnc9A74r/rsY
Pge/QIACZNenprufZdHFKlSFD0gEf6e20TxhBEAeZBlyYLf7AgMBAAGjgZQwgZEwEgYDVR0T
AQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vY3JsLnRoYXd0ZS5jb20v
VGhhd3RlUGVyc29uYWxGcmVlbWFpbENBLmNybDALBgNVHQ8EBAMCAQYwKQYDVR0RBCIwIKQe
MBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDItMTM4MA0GCSqGSIb3DQEBBQUAA4GBAEiM0VCD
6gsuzA2jZqxnD3+vrL7CF6FDlpSdf0whuPg2H6otnzYvwPQcUCCTcDz9reFhYsPZOhl+hLGZ
GwDFGguCdJ4lUJRix9sncVcljd2pnDmOjCBPZV+V2vf3h9bGCE6u9uo05RAaWzVNd+NWIXiC
3CEZNd4ksdMdRv9dX2VPMYICUTCCAk0CAQEwdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMc
VGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFs
IEZyZWVtYWlsIElzc3VpbmcgQ0ECEGCC8ypgaeZZMvxAcVF3jkkwCQYFKw4DAhoFAKCBsTAY
BgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wNzAxMTgyMDIwNTNa
MCMGCSqGSIb3DQEJBDEWBBS+Vs9VPjcYuGuTMH2RszRuf9ncsjBSBgkqhkiG9w0BCQ8xRTBD
MAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzAN
BggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAASCAQC9E46wHqD6/4YY47YxRou07559u6xH
pa2kOu9kQUuNqzyI0P2/8E+Z3fjz64j5kNRunvaYXM6w4OFUmCXl7NimjDObmK/67v0LgcdI
/W771EWU5P3MsCNG3Np2xg9fQkcWppEQY2PFOnGJsJod25iOh5duOEUc5e8BOQ3yILkqbNg4
nHOjADO7SsBW8PZdFBEujswpz2GzSkeZu0Mmh6WFCJlnN/s7BfIF2VIVrbxUnC4XbgksSMwE
kwyHByRjDdkOevZrpa7J/i3snPArwwvYuSUbvE3WMjIkSnDli44tsjA5DBk/Pig9PlBCA9ks
Zs/jsql6pOD2nnj+/RvQOpFA
--ZoaI/ZTpAVc4A5k6--