TUCoPS :: Web :: Apps :: istory~1.htm

Interactive Story 1.3 read arbitrary file
Vulnerability

    Interactive Story

Affected

    Interactive Story 1.3

Description

    Following is  based on  a qDefense  Advisory Number QDAV-2001-7-3.
    Interactive Story  does not  properly validate  the contents  of a
    hidden field entitled "next".   By setting that field to  the name
    of a  file, and  using double  dots and  poison nulls, an attacker
    can cause Interactive Story to display the contents of any file.

    Interactive Story contains the following lines:

        $nextfile = "$story_dir/$in{'next'}.txt";
        ...
        elsif ((-e $nextfile)  && ($in{'submit'} eq "")) {
        ...
        
               while (<STORY>) {
                  print $_;
               }
        ...
        }

    If an attacker sets the "next" field to something like

        ../../../../../../../../../../etc/passwd%00

    Interactive Story will open and  display the password file.   This
    technique can be used to display any file that the web server  has
    permission to read.

Solution

    Valerie Mates has released  an upgrade, version 1.4,  which strips
    special characters from the "next" field.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH