From marshal@MARSHAL-SOFT.COM Thu Dec 21 02:43:56 2000 From: Marshal To: BUGTRAQ@SECURITYFOCUS.COM Date: Tue, 19 Dec 2000 11:33:00 +0100 Subject: Re: [BUGTRAQ] NSFOCUS SA2000-09 : AHG EZshopper Loadpage.cgi FileListDisclosure Vulnerability Hello, I made a error in my previous mail. I stated that all files ABOVE $root can be viewed, this is not true. I meant all dirs UNDER $root, so if you have $root=/home/marshal you can view all files under /home/marshal/* but can't go to /home/ or any other dir above /home/marshal. Ofcourse you get the user level of the httpd daemon so this is your restricting when trying to view files. the $root variable can be found in setcart.pl. The correct info can be found here: http://www.securiteam.com/unixfocus/AHG_EZshopper_loadpage_cgi_exposes_sensitive_file_and_directory_contents.html most of the time people who use AHG have $root=/ or $root=/home/pages/ which in the first case make it possible to view all the files on the system which are viewable with the user supplied by the http daemon. And the second one makes it possible to view all the webpages including the cgi-bin directory, so you can look at the code of scripts that are parsed at the server side because the loadpage.cgi scripts kept it from parsing. A better solutions from AHG would be to only let it view .html and .htm documents and to exclude .cgi or any other kind of file. Greetings Marshal. Marshal wrote: > > I also contacted AHG about it a long time ago, it seems that they had an > update. > This update is still vuln, loadpage is possible to view any file above > the specified $root= > dir in the config file. but execution and viewing files with search is > no longer possible. > I contacted them about it, they did nothing. > > But yes, this advisory is old news. > > suid@SNEAKERZ.ORG wrote: > > > > Uhh... guys i dont really mean to dis you but... > > It sometimes pays to research a bit before releasing advisories. > > Here is something i posted (to bugtraq no less) on the 28 of feb this year. > > > > k thx bye > > > > suid@suid.kg - EZ Shopper 3.0 remote command execution. > > -- Groeten, Marshal [ url : http://www.startplaza.nu | security news & links ] [ url : http://www.heknet.com | security news & exploits ]