Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Faqmanager.cgi File Read Vulnerability

Faqmanager.cgi File Read Vulnerability

by Nikola Strahija on January 11th, 2002 FAQmanager is one simple perl script that allow you to easily set up and maintain a FAQ (Frequently Asked Questions). Faqmanager can be used to read files on the server the httpd has access to. Exploitation with Windows systems wasn't tested.


Description (from official page): FAQmanager is one simple perl script that allow you to easily set up and maintain a FAQ (Frequently Asked Questions).

Vulnerability: Faqmanager can be used to read files on the server the httpd has access to. Example: faqmanager.cgi?toc=/etc/passwd%00 will show the system's /etc/passwd file. Exploitation with Windows systems wasn't tested.

Vendor notified: Yes, new version available:
http://www.fourteenminutes.com/code/faqmanager/FAQmanager_2.2.6.zip

Note: The new version seems to be semi-secure, it doesn't filter out the nullbyte, just the slash. Also doesn't it filter out dots. On some operating systems, I believe only BSD ones, bugs like these can be used to read directory listings. For example when entering a dot the current directory's listing can be viewed. Also, the source to scripts in the current directory can still be viewed, nasty if you installed the script directly in your /cgi-bin directory and you got al your other scripts in there too. A solution would be to replace the untaint routine in the script with this slightly modified one that filters out the nullbyte:

sub untaint
{
return "" if (!$_[0]);

my $taint = $_[0];

$taint =~ s/[|/]//g;
$taint =~ s///gii;
$taint =~ /^[]*(.*)$/gi;
return $1; # _not_ return $taint
}


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »