SuSE 6.x, 7.x


    Maurycy  Prodeus   found  following.    He   found  weakness    in
    sdbsearch.cgi script which is a  part of Suse distribution.   This
    is perl script and since  Suse 7.1 they have introduced  some form
    of protection (interpreter is called with tainting checking).

    Sdbsearch.cgi  trusts  content  of  HTTP_REFERER variable which is
    set by client side during http's requests.  Piece of this data  is
    used to  locating file  with keywords  and referenced  files.   If
    there  is  possiblity  to  put  such  file  on attacked host (i.e.
    upload  through  ftpd)  with  special  content, sdbsearch will use
    open() to  get access  to match  files.   So we  can make standard
    open()  pipe  based  attack  (only  without  -T  option).  Name of
    uploaded file has to  be "keylist.txt" because we  manipulate only
    on pathname, using double dots.

    Proof of concept is  very simple, just create  harmful keylist.txt
    for instance  in /tmp  directory and  send request  to http server
    like this:

        GET /cgi-bin/sdbsearch.cgi?stichwort=keyword HTTP/1.0
        (very deep traversal because we don't know what is DOCUMENT_ROOT)

    and an example content of our /tmp/keylist.txt create like this:

        $ echo -e "keyword\0touch exploitable|" > /tmp/keylist.txt

    After successful attempt there will be "exploitable" file in  /tmp


    Suse 6.x 7.x (7.1 and 7.2 have tainting protection, but even  then
    we can pass sdbsearch files which shouldn't be read).  Just filter
    HTTP_REFERER variable.

    Official fix: