COMMAND

    Anaconda Foundation Directory

SYSTEMS AFFECTED

    Linux/UNIX with Anaconda Foundation Directory

PROBLEM

    Following   is   based   on   a   Synnergy  Laboratories  Advisory
    SLA-2000-17.   Synnergy  Labs  has  found  a  flaw within Anaconda
    Foundation Directory that allows  a user to successfully  traverse
    the filesystem on a  remote host, allowing arbitary  files/folders
    to be read.

    The Anaconda Foundation Directory  is a Yahoo style  search engine
    based on the Open  Directory project, www.dmoz.org.   The Anaconda
    Foundation Directory allows  you to dynamically  integrate content
    into  your  site's  own  look  and  feel.   This is the exact same
    content that Lycos features on their front page!  Product  pricing
    is $499 US.

    Synnergy has recently discovered a flaw within Anaconda Foundation
    Directory that allows a remote user to traverse the filesystem  as
    a request to  the script using  the $template=_some_file_.   It is
    then possible to  read any file  contents with priviledges  as the
    httpd.  Although the script  checks for the file extension  (.htm,
    .html, .shtml, .stm) adding a  trailing %00.html, (a NULL byte  in
    URL encoded  format), at  the end  of the  request will  force the
    script to open the file.  Example:

        http://www.target.com/cgi-bin/apexec.pl?etype=odp&template=../../../../../../../../../etc/resolv.conf%00.html&passurl=/category/

    The  above  line  if  given  will  output  the  file  contents  of
    /etc/resolv.conf.

SOLUTION

    The vendors have been informed of  the bug. It is advised to  wait
    for the next patched  version of Anaconda Foundation  Directory to
    be released.