Pagelog.cgi File Disclosure/Creation Vulnerability
A directory traversal bug exists in pagelog.cgi by Metertek (Metertek@yahoo.com). The script fails to check for '../' sequences in path and filename information supplied by the user. As a result, sequences such as
will, when supplied to the script, cause the server to display the contents of the file 'private.log'.
As well, it is possible to use this vulnerability to create files anywhere the web server has write permission.
will create the files '/tmp/newfile.txt' and '/tmp/newfile.log'.
By exploiting these flaws, an attacker can read log files and create (and potentially overwrite) files accessible to the webserver.
While unverified, it is theoretically possible for an attacker with local access to elevate his privilege level to that of the webserver, by making use of a symlink attack.