||Home : Advisories : News Desk 1.2 CGI Vulnerability|
||News Desk 1.2 CGI Vulnerability
||3rd January 2001
News Desk 1.2 (newsdesk.cgi) is a news
submission script which is written in perl and allows
someone on a remote computer to connect to the
server and post news submissions without logging
into the actual server. By logging into the cgi with a
custom login and password (pass.txt) the admin is
able to post the latest headline news to his/her
website with ease.
The Vendors website is:
Adding the string "/../" to an URL allows an attacker to
view any file on the server, and also list directories
within the server which the owner of the vulnerable
httpd has permissions to access.
^^ = Will obviously open the passwd file, if
^^ = Will open the password string which can be used
to login to the newsdesk.cgi and post new news, or
with special variables the ability to upload/post html to
the htdoc's directory, possibly leading to a
defacement of the webpage.
^^ = Will obviously list the /etc/ directory. Not all
servers will list directories, but most apear to.
Note: It depends on where they install newsdesk.cgi,
not always in a cgi-bin, so it could be installed with
any path. Just goto your favorite search engine and
search for newsdesk.cgi and voila. There is also
some other variants of this cgi script out there, most
of them are noticeable by the news.cgi?
a=something&t=meow.html format. Notice the a= &
t= which is a clear give-away to Newsdesk.
Vendor has been contacted. And will release a
updated version which is supposed to be more
Special Thanks to:
Which contributed this:
Remote command execution is possible on most
sites if you use the correct directory syntax such
as ../../../bin/ls%20/| is a working example, many
more commands are possible if you play around with
it a bit, such as spawning xterms.
b10z cgi advisory.
Found on December 10th, 2000.
Posted to BugTraq Jan 3rd, 2001.