Htmlscript file access bug

Summary
Description:Another stupid .. bug.
Author:Dennis Moore <rainking@FEEDING.FRENZY.COM>
Compromise:read any file the web server can read on the remote system.
Vulnerable Systems:Those running htmlscript (distributed by www.htmlscript.com)
Date:26 January 1998
Details


Date: Mon, 26 Jan 1998 18:49:37 -0600
From: Dennis Moore <rainking@FEEDING.FRENZY.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: Vulnerability in htmlscript

Htmlscript (www.htmlscript.com) has a vulnerability in it which allows you
to access system files, presumably any file the web server user can access.
I don't have the source or even a copy of the program itself, so I can't
say whether this is a configuration problem or not.  However, the fact that
the site which distributes the software is vulnerable is not promising.

According to its website, Miva (htmlscript 3.0) "is an HTML based web
development language which provides the power of scripting via new,
easy-to-use tags."

The exploit:
http://www.vulnerable.server.com/cgi-bin/htmlscript?../../../../etc/passwd

I suppose the number of ..s will depend on the location of the cgi program.
I glanced through their configuration file and it has a variable called
'htmlscriptroot' in it.  Since you would apparently get an error if this
were not set, I don't think setting it resolves the problem.

I did not discover this exploit, and I have no previous experience with
htmlscript.  The individual who reported it to me wishes to remain
anonymous.  They confirmed the problem on at least one other server using
the cgi.  Please do not email me about this problem.

--
pity this busy monster, manunkind,         |    Dennis  Moore    |       Sarah
not. Progress is a comfortable disease.    | rainking@frenzy.com |   McLachlan
   -e.e. cummings: One Times One           |  archon on the irc  |     "Black"
If I cried me a river of all my confessions would I drown in my shallow regret?

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]