|
Vulnerability Anaconda Foundation Directory Affected Linux/UNIX with Anaconda Foundation Directory Description Following is based on a Synnergy Laboratories Advisory SLA-2000-17. Synnergy Labs has found a flaw within Anaconda Foundation Directory that allows a user to successfully traverse the filesystem on a remote host, allowing arbitary files/folders to be read. The Anaconda Foundation Directory is a Yahoo style search engine based on the Open Directory project, www.dmoz.org. The Anaconda Foundation Directory allows you to dynamically integrate content into your site's own look and feel. This is the exact same content that Lycos features on their front page! Product pricing is $499 US. Synnergy has recently discovered a flaw within Anaconda Foundation Directory that allows a remote user to traverse the filesystem as a request to the script using the $template=_some_file_. It is then possible to read any file contents with priviledges as the httpd. Although the script checks for the file extension (.htm, .html, .shtml, .stm) adding a trailing %00.html, (a NULL byte in URL encoded format), at the end of the request will force the script to open the file. Example: http://www.target.com/cgi-bin/apexec.pl?etype=odp&template=../../../../../../../../../etc/resolv.conf%00.html&passurl=/category/ The above line if given will output the file contents of /etc/resolv.conf. Solution The vendors have been informed of the bug. It is advised to wait for the next patched version of Anaconda Foundation Directory to be released.