|
Vulnerability News Desk Affected News Desk 1.2 Description Following is based on a B10Z Security Advisory. News Desk 1.2 (newsdesk.cgi) is a news submission script which is written in perl and allows someone on a remote computer to connect to the server and post news submissions without logging into the actual server. By logging into the cgi with a custom login and password (pass.txt) the admin is able to post the latest headline news to his/her website with ease. Adding the string "/../" to an URL allows an attacker to view any file on the server, and also list directories within the server which the owner of the vulnerable httpd has permissions to access. Examples: http://www.VULNERABLE.com/cgi-bin/newsdesk.cgi?t=../../../../etc/passwd Will obviously open the passwd file, if unshadowed. http://www.VULNERABLE.com/cgi-bin/newsdesk.cgi?t=../pass.txt Will open the password string which can be used to login to the newsdesk.cgi and post new news, or with special variables the ability to upload/post html to the htdoc's directory, possibly leading to a defacement of the webpage. http://www.VULNERABLE.com/cgi-bin/newsdesk.cgi?t=../../../../etc/ Will obviously list the /etc/ directory. Not all servers will list directories, but most apear to. Note: It depends on where they install newsdesk.cgi, not always in a cgi-bin, so it could be installed with any path. Just go to your favorite search engine and search for newsdesk.cgi and voila. There is also some other variants of this cgi script out there, most of them are noticeable by the news.cgi?a=something&t=meow.html format. Notice the a= & t= which is a clear give-away to Newsdesk. 'zenomorph' contributed following. Remote command execution is possible on most sites if you use the correct directory syntax such as ../../../bin/ls%20/| is a working example, many more commands are possible if you play around with it a bit, such as spawning xterms. Solution Vendor has been contacted and will release a updated version which is supposed to be more secure...