Vulnerability

    MultiHTML

Affected

    MultiHTML

Description

    Niels Heinen found following.  MultiHTML allows you to put an  SSI
    call  where  you  want  the  HTML  file  to be displayed.  The SSI
    executes the MultiHTML program  which displays whatever HTML  file
    you have it set to display.   The main reason fpr posting this  is
    because  of  the  fact  that   this  script  is  offerd  by   many
    lets-expand-our-cgi-bins-to-make-us-look-good isp's.

    The cgi script checks the extentions of the requested file to  see
    if it is ok.  This easily can be tricked by using %00 (Olaf Kirch)

        http://localhost/cgi-bin/multihtml.pl?multi=/etc/passwd%00html

    further their is no dcumentroot  specified in the script so  we do
    not need to use the ../../  here because their is access to  every
    directory on the system in question  (lame).  Even if their was  a
    documentroot and they  would filter the  dots then you  would have
    to  make  sure  that  the  script  does  not  contain  any  higher
    directory's.   Because the  open(FILE, "$multi")  functions in the
    script makes it easy to bypass .htaccess files.


Solution

    Be a  man and  learn how  to use  ssi without  a script.   Or  beg
    someone to write a new one.