BugTraq
Back to list
|
Post reply
EORF2003-04: sbox path disclosure problem
Sep 25 2003 05:35PM
Julio e2fsck Cesar (e2fsck bol com br)
---------------------------
EightOne Research Facility
---------------------------
EORF2003-04 (security advisory)
Title: sbox has a information disclosure problems
Author: Julio "e2fsck" Cesar
Vendor: http://stein.cshl.org/WWW/software/sbox
Versions: sbox 1.04 and later
Date: 18 Sep 2003
1. Description
sbox is a CGI wrapper that allows CGIs to be executed more safely. What
sbox does is "box" the CGI script into a secure enviroment and run it.
EightOne Research Facility has discovered a path disclosure problem in
sbox, which allows malicious users to know the physical path of the server
and the username of the domain.
2. Details
When a user makes a request to /cgi-bin directory, sbox intermediates
this query and executes the CGI script in a restricted enviroment, but before
this execution, it makes some checking such as CGI scripts in world-writable
directories. When a query to a non-existent script in /cgi-bin is made, sbox
display an error that reveals some information that shouldn't be revealed,
such as physical path.
Here is an example: http://your.vulnerable.site/cgi-bin/non-existent.pl
and look what we get
-- snip --
Sbox Error
The sbox program encountered an error while processing this request.
Please note the time of the error, anything you might have been doing at
the time to trigger the problem, and forward the information to this
site's Webmaster (root (at) your.vulnerable (dot) site [email concealed]).
Stat failed. /home/jcf/cgi-bin/a.pl: No such file or directory
sbox version 1.04
$Id: sbox.c,v 1.9 2000/03/28 20:12:40 lstein Exp $
-- unsnip --
It revealed the username of the domain and the physical path of cgi-bin
directory. And is possible to use the gotten username to make brute force
attacks to guess the user's password to obtain unauthorized access.
3. Solution
Stein Laboratory has been contacted but I haven't received any reply yet.
Thanks Despise for being this cool guy and helped us when we needed.
Sorry if there are english mistakes.
Regards,
members of EightOne.
EightOne Research Facility - http://eightone.mafiadodiva.org
Recife, PE, Brazil
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
---------------------------
EightOne Research Facility
---------------------------
EORF2003-04 (security advisory)
Title: sbox has a information disclosure problems
Author: Julio "e2fsck" Cesar
Vendor: http://stein.cshl.org/WWW/software/sbox
Versions: sbox 1.04 and later
Date: 18 Sep 2003
1. Description
sbox is a CGI wrapper that allows CGIs to be executed more safely. What
sbox does is "box" the CGI script into a secure enviroment and run it.
EightOne Research Facility has discovered a path disclosure problem in
sbox, which allows malicious users to know the physical path of the server
and the username of the domain.
2. Details
When a user makes a request to /cgi-bin directory, sbox intermediates
this query and executes the CGI script in a restricted enviroment, but before
this execution, it makes some checking such as CGI scripts in world-writable
directories. When a query to a non-existent script in /cgi-bin is made, sbox
display an error that reveals some information that shouldn't be revealed,
such as physical path.
Here is an example: http://your.vulnerable.site/cgi-bin/non-existent.pl
and look what we get
-- snip --
Sbox Error
The sbox program encountered an error while processing this request.
Please note the time of the error, anything you might have been doing at
the time to trigger the problem, and forward the information to this
site's Webmaster (root (at) your.vulnerable (dot) site [email concealed]).
Stat failed. /home/jcf/cgi-bin/a.pl: No such file or directory
sbox version 1.04
$Id: sbox.c,v 1.9 2000/03/28 20:12:40 lstein Exp $
-- unsnip --
It revealed the username of the domain and the physical path of cgi-bin
directory. And is possible to use the gotten username to make brute force
attacks to guess the user's password to obtain unauthorized access.
3. Solution
Stein Laboratory has been contacted but I haven't received any reply yet.
Thanks Despise for being this cool guy and helped us when we needed.
Sorry if there are english mistakes.
Regards,
members of EightOne.
EightOne Research Facility - http://eightone.mafiadodiva.org
Recife, PE, Brazil
[ reply ]