BNCweb File Disclosure Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: BNCweb File Disclosure Vulnerability
From: Matthias Bethke <matthias.bethke@xxxxxxx>
Date: 9 Dec 2003 04:29:49 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


BNCweb is a set of CGI scripts developed at the University of Zürich as a 
user-friendly query interface to the British National Corpus. It allows 
linguists to retrieve lexical, grammatical and textual data from this 100 
million word collection of english texts using a web browser. For more 
information see http://homepage.mac.com/bncweb/home.html

BNCweb has been found prone to a file dicsclosure vulnerability that allows 
attackers to read any file accessible to the CGI user (typically "wwwrun") 
anywhere in the server's file systems by supplying a trivially manipulated URL 
to the query script. This includes web web server and system password files, 
opening the door for further compromises. However, exploitation requires access 
to the script itself, which in a correctly installed system is protected by the 
web server's access control mechanism, thus only registered users are able to 
carry out an attack.

The reason for this vulnerability is a piece of obsolete code left over from a 
development version. As a quick fix, the author suggests removing lines 23 to 
25 in the BNCquery.pl script. This has no effect on the script's normal 
functionality.

Prev by Date: @Mail web interface multiple security vulnerabilities
Next by Date: Is this the first case of a Distributed Denial of Physical Service?
Previous by thread: @Mail web interface multiple security vulnerabilities
Next by thread: Is this the first case of a Distributed Denial of Physical Service?
Index(es):
- Date
- Thread