header-logo
Suggest Exploit
vendor:
Classifieds.cgi
by:
Greg Matthews
7.5
CVSS
HIGH
File Disclosure Vulnerability
20
CWE
Product Name: Classifieds.cgi
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2020

Classifieds.cgi File Disclosure Vulnerability

Classifieds.cgi is a perl script (part of the classifieds package by Greg Matthews) which provides simple classified ads to web sites. Due to improper input validation it can be used to read files on the host machine, with the privileges of the web server. This can be accomplished by embedding the input redirection metacharacter along with a filename into the form field used for e-mail address entry (<input name=return>). Any file that the web server process has read access to can be retrieved.

Mitigation:

Input validation should be properly implemented to prevent malicious input from being accepted.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/2020/info

Classifieds.cgi is a perl script (part of the classifieds package by Greg Matthews) which provides simple classified ads to web sites. Due to improper input validation it can be used to read files on the host machine, with the privileges of the web server. This can be accomplished by embedding the input redirection metacharacter along with a filename into the form field used for e-mail address entry (<input name=return>). Any file that the web server process has read access to can be retrieved. 

Submit email@host</etc/passwd as e-mail address.

Navigation

Suggest Exploit

Services By CQR