qdav-2001-7-3

来自「一个FTP密码破解程序的源代码」· 代码 · 共 52 行

Interactive Story File Disclosure Vulnerability
qDefense Advisory Number QDAV-2001-7-3

Product: Interactive Story

Vendor: Valerie Mates (http://www.valeriemates.com)

Severity: Remote; Attacker may read arbitrary file

Versions Affected: Version 1.3

Vendor Status: Vendor contacted; has released new version, 1.4, which is 
not vulnerable

Cause: Failure to validate input

In Short: Interactive Story does not properly validate the contents of a 
hidden field entitled "next". By setting that field to the name of a file, 
and using double dots and poison nulls, an attacker can cause Interactive 
Story to display the contents of any file.


The current version of this document is available at 
http://qDefense.com/Advisories/QDAV-2001-7-3.html.

Details:
Interactive Story contains the following lines:

$nextfile = "$story_dir/$in{'next'}.txt";
...
elsif ((-e $nextfile)  && ($in{'submit'} eq "")) {
...

       while (<STORY>) {
          print $_;
       }
...
}

If an attacker sets the "next" field to something like 
../../../../../../../../../../etc/passwd%00, Interactive Story will open 
and display the password file. This technique can be used to display any 
file that the web server has permission to read.
Solution:

Valerie Mates has released an upgrade, version 1.4, which strips special 
characters from the "next" field.