|
 |
| SecurityReason | ||
| WLB | ||
| RSS | ||
| Corporate | ||
| Services | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
| Details : SecurityAlert | ||||
 SecurityAlert : 4265 CVE : CVE-2008-4112 CVE : CVE-2008-3195 CWE : CWE-22 SecurityRisk : Medium  (About) Remote Exploit : Yes Local Exploit : No Victim interaction required : No Exploit Given : Yes Credit : Th1nk3r Published : 18.09.2008
Advisory Text : ########################################################################### ##################################### # # # TWiki 4.2.0 File Disclosure Vuln (configure) # # # ########################################################################### ##################################### "We're brazilian newbies!!! :p" - Th1nk3r Info --------------------------------------------------------------------------- ------------------------------------- Classe : Input Validation Error Remote : Yes Local : No Date : 05/08/2008 Credits : Th1nk3r (cnwfhguohrugbo / gmail.com) Greetz : w4n73d h4ck3r, Vitor, Vonnatur, FuradordeSyS, B470-Killer, M4v3rick. Description --------------------------------------------------------------------------- ------------------------------------- TWiki version 4.2.0 (I haven't tested other versions) is vulnerable to a File Disclosure. It's only possible to exploit the bug if you can access the "/bin/configure" script. Otherwise, you can not exploit this bug. Vulnerable code of "/bin/configure" script: if( $action eq 'image' ) { # SMELL: this call is correct, but causes a perl error # on some versions of CGI.pm # print $query->header(-type => $query->param('type')); # So use this instead: print 'Content-type: '.$query->param('type')."\n\n"; if( open(F, 'logos/'.$query->param('image' ))) { local $/ = undef; print <F>; close(F); } exit 0; } The bug is in the open() function. The file is set by visitor, and there is no protection added by the programmer. Note that "$query->param('type')" can be set by the visitor. Therefore, you'll set it to "text/plain". Exploit --------------------------------------------------------------------------- ------------------------------------- To exploit the bug, you just need set the "image" variable to the path of file you wish to view. The file will be revealed if you have permission to view it. By example, to show the "/etc/passwd" file content, go to : http://www.examplo.org/{PATH}/bin/configure?action=image;image=../../../.. /../../etc/passwd;type=text/plain Solution --------------------------------------------------------------------------- ------------------------------------- Read "http://twiki.org/cgi-bin/view/TWiki/TWikiInstallationGuide", Basic Installation, topic 8, for more information of how to protect your "configure" script. References : http://www.kb.cert.org/vuls/id/362012 http://twiki.org/cgi-bin/view/Codev/TWikiRelease04x02x03#4_2_3_Bugfix_Highl ights http://www.milw0rm.com/exploits/6269 http://www.kb.cert.org/vuls/id/RGII-7JEQ7L Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
Microsoft VISTA TCP/IP stack buffer overflow
Microsoft Device IO Control wrapped by the iphlpapi.dll API shipping with Windows Vista 32 bit and 64 bit contains a possibly exploitable, buffer overflow corrupting kernel memory. |
||
| Apache |  |
|
» Apache Tomcat <= |
||
| PHP | |
|
» PHP |
||
- 2008-11-27| Copyright © SecurityReason. All Rights Reserved. |