[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : News Desk 1.2 CGI Vulnerability

Title: News Desk 1.2 CGI Vulnerability
Released by: slipy@b10z.net
Date: 3rd January 2001
Printable version: Click here

News Desk 1.2 (newsdesk.cgi) is a news 

submission script which is written in perl and allows 

someone on a remote computer to connect to the 

server and post news submissions without logging 

into the actual server. By logging into the cgi with a 

custom login and password (pass.txt) the admin is 

able to post the latest headline news to his/her 

website with ease.

The Vendors website is:



Adding the string "/../" to an URL allows an attacker to 

view any file on the server, and also list directories 

within the server which the owner of the vulnerable 

httpd has permissions to access.




^^ = Will obviously open the passwd file, if 




^^ = Will open the password string which can be used 

to login to the newsdesk.cgi and post new news, or 

with special variables the ability to upload/post html to 

the htdoc's directory, possibly leading to a 

defacement of the webpage.



^^ = Will obviously list the /etc/ directory. Not all 

servers will list directories, but most apear to.

Note: It depends on where they install newsdesk.cgi, 

not always in a cgi-bin, so it could be installed with 

any path. Just goto your favorite search engine and 

search for newsdesk.cgi and voila. There is also 

some other variants of this cgi script out there, most 

of them are noticeable by the news.cgi?

a=something&t=meow.html format. Notice the a= & 

t= which is a clear give-away to Newsdesk.


Vendor has been contacted. And will release a 

updated version which is supposed to be more 


Special Thanks to:

zenomorph <http://www.cgisecurity.com>

Which contributed this:

Remote command execution is possible on most 

sites if you use the correct directory syntax such 

as ../../../bin/ls%20/| is a working example, many 

more commands are possible if you play around with 

it a bit, such as spawning xterms.


Found By:

b10z cgi advisory.


Found on December 10th, 2000.

Posted to BugTraq Jan 3rd, 2001.

(C) 1999-2000 All rights reserved.