COMMAND

	Faqmanager.cgi

SYSTEMS AFFECTED

	Faqmanager.cgi versions before 2.2.6

PROBLEM

	Nu Omega Tau posted :
	

	Faqmanager can be used to read files on the server the httpd has  access
	to.
	

	Example:
	

	 faqmanager.cgi?toc=/etc/passwd%00

	

	will show the system\'s  /etc/passwd  file.  Exploitation  with  Windows
	systems wasn\'t tested.
	

	

SOLUTION

	Update available :
	

	http://www.fourteenminutes.com/code/faqmanager/FAQmanager_2.2.6.zip

	

	Note: The new version seems to be semi-secure, it  doesn\'t  filter  out
	the nullbyte, just the slash. Also doesn\'t it filter out dots. On  some
	operating systems, I believe only BSD ones, bugs like these can be  used
	to read directory listings. For example when entering a dot the  current
	directory\'s listing can be viewed. Also, the source to scripts  in  the
	current directory can still  be  viewed,  nasty  if  you  installed  the
	script directly in your /cgi-bin directory and you  got  al  your  other
	scripts in there too.  A  solution  would  be  to  replace  the  untaint
	routine in the script with this slightly modified one that  filters  out
	the nullbyte:
	 

	sub untaint 

	{ 

	  return \"\" if (!$_[0]); 

	 

	  my $taint = $_[0]; 

	 

	  $taint =~ s/[\\|\\/]//g; 

	  $taint =~ s/\\0//gii; 

	  $taint =~ /^[\\<\\+\\>]*(.*)$/gi; 

	  return $1;  # _not_ return $taint 

	}