[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : MultiHTML vulnerability

Title: MultiHTML vulnerability
Released by: zillion
Date: 14th September 2000
Printable version: Click here
Title :                     MultiHTML vulnerability.

Description :         Retrieve files from the server.

Vendor status :    Notified and a new (not much improved) script is


Short description of the tool:


MultiHTML allows you to put an SSI call where you want the HTML file to

be displayed.

The SSI executes the MultiHTML program which displays whatever HTML file

you have it set to

display. The main reason i'm posting this is because of the fact that

this script is offerd

by many lets-expand-our-cgi-bins-to-make-us-look-good isp's.

The problems


The cgi script checks the extentions of the requested file to see if it

is ok. This easily can be

 tricked by using %00 ( Olaf Kirch )


further their is no dcumentroot specified in the script so we do not

need to use the ../../ here

because their is access to every directory on the system in question

(lame). Even if their was a

documentroot and they would filter the dots then you would have to make

sure that the script does

not contain any higher directory's. Because the open(FILE, "$multi")

functions in the script makes

 it easy to bypass .htaccess files.

The solution:


Be a man and learn how to use ssi without a script. Or beg someone to

write a new one ;)



(C) 1999-2000 All rights reserved.