header-logo
Suggest Exploit
vendor:
Mini SQL
by:
SecurityFocus
8.3
CVSS
HIGH
W3-mSQL CGI Script Directory Traversal
22
CWE
Product Name: Mini SQL
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2001

W3-mSQL CGI Script Directory Traversal

Under certain versions of Mini SQL, the w3-msql CGI script allows users to view directories which are set for private access via .htaccess files. W3-mSQL converts any form data passed to a script into global Lite variables and these variables can then be accessed by the script code. An attacker can use this vulnerability to gain access to protected directories and files by using two approaches. The first approach requires the attacker to know the location/directory structure of the site they are attacking. The second approach will gain the intruder a DES encrypted password which they can then attempt to crack it via any number of popular cracking utilities.

Mitigation:

Upgrade to the latest version of Mini SQL and ensure that all .htaccess files are properly configured.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/591/info

Under certain versions of Mini SQL, the w3-msql CGI script allows users to view directories which are set for private access via .htaccess files. W3-mSQL converts any form data passed to a script into global Lite variables and these variables can then be accessed by your script code.

When an HTML form is defined a field name is given to each element of the form. When the data is passed to W3-mSQL the field names are used as the variable names for the global variables. Once a set of variables has been created for each form element, the values being passed to the script are assigned to the variables. This is done automatically during start-up of the W3-mSQL program. 

First Approach:
This attack requires the attacker to know the location/directory structure of the site she is attacking.

http://www.victim.org/cgi-bin/w3-msql/protected-directory/private-file

Second Approach:
This approach will gain the intruder a DES encrypted password which they can then attempt to crack it via any number of popular cracking utilites.

http://www.victim.org/cgi-bin/w3-msql/protected-directory/.htpasswd

Navigation

Suggest Exploit

Services By CQR