COMMAND

    Interactive Story

SYSTEMS AFFECTED

    Interactive Story 1.3

PROBLEM

    Following is  based on  a qDefense  Advisory Number QDAV-2001-7-3.
    Interactive Story  does not  properly validate  the contents  of a
    hidden field entitled "next".   By setting that field to  the name
    of a  file, and  using double  dots and  poison nulls, an attacker
    can cause Interactive Story to display the contents of any file.

    Interactive Story contains the following lines:

        $nextfile = "$story_dir/$in{'next'}.txt";
        ...
        elsif ((-e $nextfile)  && ($in{'submit'} eq "")) {
        ...
        
               while (<STORY>) {
                  print $_;
               }
        ...
        }

    If an attacker sets the "next" field to something like

        ../../../../../../../../../../etc/passwd%00

    Interactive Story will open and  display the password file.   This
    technique can be used to display any file that the web server  has
    permission to read.

SOLUTION

    Valerie Mates has released  an upgrade, version 1.4,  which strips
    special characters from the "next" field.