Synnergy Laboratories Advisory SLA-2000-17 - A flaw in Linux/UNIX Anaconda Foundation Directory, a yahoo style search engine based on the Open Directory Project allows remote users to traverse the webservers filesystem, allowing arbitary files to be read by appending a trailing NULL byte in URL encoded format. Exploit URL included.
114471e6a48ade395cf5dd9910cfbb9ebc5b97960e372c164656001a5ddd2840 Synnergy Laboratories Advisory SLA-2000-17
NAME
Anaconda Foundation Directory NULL byte vulnerability
AFFECTED
Linux/UNIX with Anaconda Foundation Directory
SYNOPSIS
Synnergy Labs has found a flaw within Anaconda Foundation Directory that allow
s a user to
successfully traverse the filesystem on a remote host, allowing arbitary files
/folders to
be read.
DESCRIPTION
The Anaconda Foundation Directory is a Yahoo style search engine based on the
Open Directory
project, www.dmoz.org. The Anaconda Foundation Directory allows you to dynamic
ally integrate content into
your site's own look and feel. This is the exact same content that Lycos featu
res on their
front page! Product pricing is $499 US.
Anaconda Foundation Directory can be found at:https://anacondapartners.com/ap_a
fodpdemo.shtml
Synnergy has recently discovered a flaw within Anaconda Foundation Directory t
hat allows a remote
user to traverse the filesystem as a request to the script using the $template
=_some_file_. It is
then possible to read any file contents with priviledges as the httpd.
Although the script checks for the file extension (.htm, .html, .shtml, .stm)
adding a trailing
%00.html, (a NULL byte in URL encoded format), at the end of the request will
force the script to
open the file.
Example:
https://www.target.com/cgi-bin/apexec.pl?etype=odp&template=../../../../../../.
./../../etc/resolv.conf%00.html&passurl=/category/
The above line if given will output the file contents of /etc/resolv.conf.
SOLUTION
The vendors have been informed of the bug. It is advised to wait for the next
patched version of
Anaconda Foundation Directory to be released.
AUTHOR
Discovery: pestilence @ synnergy.net
DISCLAIMER
Synnergy Laboratories may not be held liable for the use or potential
effects of these programs or advisories, nor the content contained
within. Use them at your own risk.
COPYRIGHT
Synnergy Laboratories - www.synnergy.net (c) 1998-2000
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed