Remote Web Server Text File Viewing Vulnerability in WebLibs 1.0

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Remote Web Server Text File Viewing Vulnerability in WebLibs 1.0
From: John Bissell <monkey321_1@xxxxxxxxxxx>
Date: 8 Dec 2004 03:41:20 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


Advisory:
=========
 Remote Web Server Text File Viewing Vulnerability in WebLibs 1.0

Author:
=======
 John Bissell A.K.A. HighT1mes

Vendor Homepage:
================
 http://awsd.com/

Date:
=====
 12, 07, 2004

Severity:
=========
 High

Overview:
=========
WebLibs is a pretty popular simple little Perl script made avaiable from  
Darryl C. Burgdorf on his site at http://awsd.com/scripts/weblibs/index.shtml. 
This script is very old and I'm surprised no one else came upon this 
vulnerability a while ago. People can install the script on there server so 
they can invite visitors to thier site to have some fun and create there own 
mad libs called web libs to amuse at...

Problem Details:
================
The security vulnerability as whoever is reading this might guess is caused by 
a lack of proper input validation when the weblibs.pl script reads in a static 
piece of sensitive data hidden in a hidden <INPUT> tag embedded inside the 
dynamically generated web page. This lack of input validation leads to a 
typical directory traversal attack (sometimes directory traversal isn't even 
needed if the web enviroment is setup in a particular way) that can be 
leveraged to read in non-executable text file from the vulnerable web server 
that the web server has permission. The line of Perl code that causes this 
vulnerability is...

open (FILE,"$FORM{'TextFile'}");

There may be a way to get local files to execute on the system or get the 
output from commands like ls -la. I haven't done any through testing so I will 
leave this open for the computer security community to look into if they wish.

Explotation:
============
To exploit this vulnerability the attacker/pen tester needs to first save a 
copy of the initial generated WebLibs page that asks for the users input so the 
script can generate the results for the user. Next after making a local copy of 
that page you need to look for the HTML <INPUT> tag that has a name="TextFile" 
attribute. For instance <INPUT type=hidden 
value="/some/path/to/the/weblibs/input.txt" name="TextFile"> 

Now simply edit the line to something other non executable server file like 
/etc/passwd or /etc/hosts etc to read sensitive private data from the 
vulnerable web server which may give the the person attacking a chance at 
gaining shell access to the web server. For example edit the HTML line 
mentioned above to something like <INPUT type=hidden 
value="/../../../../../etc/passwd" name="TextFile"> then save the file and load 
it up in your web browser, fill in all the form input fields hit the submit 
button and the vulnerable web server will return the contents of the text file 
requested if allowed.

Solution:
=========
 One possible solution is to not use the hidden <INPUT> tag in the generated 
pages from weblibs.pl and instead define $TextFile as a user installation 
variable that needs to be filled in only in the beginning by the script 
installer so the attacker can't easily manipulate it.

Vendor Status:
==============
 The author of this script has been notified by email of this issue...

Prev by Date: Multiple Vulnerabilities in paFileDB 3.1
Next by Date: MD5 To Be Considered Harmful Someday
Previous by thread: Re: Multiple Vulnerabilities in paFileDB 3.1
Next by thread: MD5 To Be Considered Harmful Someday
Index(es):
- Date
- Thread