Vulnerability

    sendtemp.pl

Affected

    W3.ORGS sendtemp.pl

Description

    Tom Parker found following.  Follows are details of a vunerability
    Tom recently  discovered in  W3.ORGS sendtemp.pl.   A part  of the
    Amaya  Web   development  server   contains  a   file   disclosure
    vulnerability, which allows  remote, read access  to files on  the
    servers file system,  as whichever  UID the httpd is running as.

    The  Vulnerability  is  really  quite  simple.   When  the `templ`
    argument  is  past  to  sendtemp.pl  it  adds a link to the chosen
    stylesheet and a META field  containing the publication's  URL  of
    the new file to the chosen template.  For example:

        http://localhost/cgi-bin/sendtemp.pl?templ=template.xml

    This is all well and  good, however.. There is no  sanity checking
    on the param you pass to the script..  ie:

        my $temp_file = param("templ");

    So by simply issuing a GET to (for example):

        http://localhost/cgi-bin/sendtemp.pl?templ=../../etc/passwd

    The systems file system can  be traversed and the passwd  file can
    be read (Assuming the http daemon hasn't been run under chroot()).

    The below URL contains a simple exploit, although its just as easy
    to use your browser:

        http://www.rooted.net/code/sendtemp-exp.pl

Solution

    Note that W3.org are aware of this problem as of 12/01/01.