||Home : Advisories : Anaconda Foundation Directory NULL byte vulnerability|
||Anaconda Foundation Directory NULL byte vulnerability
||13th October 2000
Synnergy Laboratories Advisory SLA-2000-17
Anaconda Foundation Directory NULL byte vulnerability
Linux/UNIX with Anaconda Foundation Directory
Synnergy Labs has found a flaw within Anaconda Foundation Directory that allows a user to
successfully traverse the filesystem on a remote host, allowing arbitary files/folders to
The Anaconda Foundation Directory is a Yahoo style search engine based on the Open Directory
project, www.dmoz.org. The Anaconda Foundation Directory allows you to dynamically integrate content into
your site's own look and feel. This is the exact same content that Lycos features on their
front page! Product pricing is $499 US.
Anaconda Foundation Directory can be found at:http://anacondapartners.com/ap_afodpdemo.html
Synnergy has recently discovered a flaw within Anaconda Foundation Directory that allows a remote
user to traverse the filesystem as a request to the script using the $template=_some_file_. It is
then possible to read any file contents with priviledges as the httpd.
Although the script checks for the file extension (.htm, .html, .html, .stm) adding a trailing
%00.html, (a NULL byte in URL encoded format), at the end of the request will force the script to
open the file.
The above line if given will output the file contents of /etc/resolv.conf.
The vendors have been informed of the bug. It is advised to wait for the next patched version of
Anaconda Foundation Directory to be released.
Discovery: pestilence @ synnergy.net
Synnergy Laboratories may not be held liable for the use or potential
effects of these programs or advisories, nor the content contained
within. Use them at your own risk.
Synnergy Laboratories - www.synnergy.net (c) 1998-2000