|
Vulnerability Interactive Story Affected Interactive Story 1.3 Description Following is based on a qDefense Advisory Number QDAV-2001-7-3. Interactive Story does not properly validate the contents of a hidden field entitled "next". By setting that field to the name of a file, and using double dots and poison nulls, an attacker can cause Interactive Story to display the contents of any file. Interactive Story contains the following lines: $nextfile = "$story_dir/$in{'next'}.txt"; ... elsif ((-e $nextfile) && ($in{'submit'} eq "")) { ... while (<STORY>) { print $_; } ... } If an attacker sets the "next" field to something like ../../../../../../../../../../etc/passwd%00 Interactive Story will open and display the password file. This technique can be used to display any file that the web server has permission to read. Solution Valerie Mates has released an upgrade, version 1.4, which strips special characters from the "next" field.