[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Arbitrary File Disclosure in Moreover.com's Cached_Feed.cgi

Title: Arbitrary File Disclosure in Moreover.com's Cached_Feed.cgi
Released by: CDI
Date: 2nd October 2000
Printable version: Click here

Arbitrary File Disclosure in Moreover.com's Cached_Feed.cgi

Application: cached_feed.cgi

Vendor: Moreover.com

Version: 1.0, Last Updated 4.July.00

         Note, the version is implied. They never actually put a version

         number in the file, just a "last updated" date.

Vendor Status: Notified, although they fixed it prior to my notification

               to them.

Fix: Download new version 2.0.



  *yawn* Yet another CGI that lacks sufficient (or in this case -any-)

  input validation, leading to the exposure of readable files on the



  The cached_feed CGI supplied by Moreover.com is used to retrieve news

headlines from the Moreover.com site, and then store them for retrieval

and display within your own local web site.  The program accepts two

arguments on the QUERY_STRING; The news category to retrieve, and the

format the headlines should be returned in. The two arguments are supplied

to the CGI using a raw query string in the form 'category+format' which

in turn becomes $ARGV:

  $category = @ARGV[0];

  $format   = @ARGV[1];

These two lines comprise the bulk of the data validation performed by the

CGI. Here's the flaw in the source:

  # Constants

  $base_dir        = ".";

  $cache_dir       = "$base_dir/cached_newsfeeds";

  $cache_file      = "$cache_dir/".$category.".".$format;

And a little later on...

  if ($age < $cache_time)


     $feed = &obtain_file($cache_file);


The 'obtain_file' function reads the file specified and returns it's

contents. The CGI wraps up by printing the contents of the file back to

the browser. '$cache_time' defaults to 15 minutes. This limits the

functionality of the exploit a bit as the targeted file needs to have been

created or modified in the last 15 minutes.

So, if your password file has been modified within the last 15 minutes,

the obvious exploit for this flaw will allow an intruder to retrieve the

file.  The file will also be retrieved if the CGI is unable to contact the

Moreover server or if the Moreover server takes longer than 30 seconds to

respond. A crafty intruder could potentially induce such a delay using a

ping flood against the victim host.

Obvious Exploit:


Vendor Status:

  I first started playing with the CGI on Sept 5th. During my testing I

accidently tipped off Moreover by not immediately disabling the headline

retrieval function while I was testing. This means that Moreover's server

valiantly attempted to handle a few requests containing '/etc/passwd'

attempts.  (I was trying to yank the password file off my own server, not

Moreovers) Apparently someone at Moreover was actually paying attention,

because on Sept 10th, they issued an updated verion of the CGI containing

the following change notes:

  # Version 2

  # ---------

  # In this version:


  # o Potential security hole fixed

Their fixes included exiting if unable to contact the Moreover server to

retrieve the headlines, as well as munging the requested cache file to

prevent directory traversal. (It still doesn't really validate - just

munges. *sigh*)



The Web Master's Net


   "We're sysadmins. We do remember. We don't forgive."

                      -- Mike Andrews in the Monastery

(C) 1999-2000 All rights reserved.