Vulnerability

    ROADS search system

Affected

    ROADS search system

Description

    'UkR-XblP' found  following.   The search.pl  program is  a Common
    Gateway Interface (CGI) program used to provide an end user search
    front end to  ROADS databases.   When accessed with  no CGI query,
    the program can return an HTML form to the user to fill in to make
    a query.  This form can be designed by the SBIG Administrator  and
    can  include  a  number  of  options.   The  default form for this
    installation  is  held  in  the  search  directory under the ROADS
    config directory by http://www.roads.lut.ac.uk.

    Through this bug you can see any files, bug works on every  system
    were perl is installed. "%00" - means hex symbol of the end of the
    line, used in C,C++ and perl.  Exploit:

        http://www.victim.com/ROADS/cgi-bin/search.pl?form=url_to_any_file%00

Solution

    All of the ROADS 2.x series releases were vulnerable to this,  and
    the same vulnerability existed in some of our other CGI  programs.
    2.4 release fixed this.  For more on these, see:

        http://www.roads.lut.ac.uk/lists/open-roads/2001/02/