Pagelog.cgi File Disclosure/Creation Vulnerability

A directory traversal bug exists in pagelog.cgi by Metertek (Metertek@yahoo.com). The script fails to check for '../' sequences in path and filename information supplied by the user. As a result, sequences such as

http://securehost/cgi-bin/pagelog.cgi?display=../../../../tmp/private

will, when supplied to the script, cause the server to display the contents of the file 'private.log'.

As well, it is possible to use this vulnerability to create files anywhere the web server has write permission.

For example,

http://server/cgi-bin/pagelog.cgi?name=../../../../../tmp/newfile

will create the files '/tmp/newfile.txt' and '/tmp/newfile.log'.

By exploiting these flaws, an attacker can read log files and create (and potentially overwrite) files accessible to the webserver.

While unverified, it is theoretically possible for an attacker with local access to elevate his privilege level to that of the webserver, by making use of a symlink attack.


 

Privacy Statement
Copyright 2010, SecurityFocus