[LWN Logo]
[Timeline]
Date:         Fri, 13 Oct 2000 01:27:24 +0300
From: pestilence <pestilence@SYNNERGY.NET>
Subject:      Anaconda Advisory
To: BUGTRAQ@SECURITYFOCUS.COM

This is a multi-part message in MIME format.
--------------79CD1BE0C3701BCDE815D13C
Content-Type: text/plain; charset=iso-8859-7
Content-Transfer-Encoding: 7bit

Since this is a commercial program and i haven't received any ack, or
info from the vendors i shall publish the advisory.

Kostas Petrakis aka Pestilence
pestilence@synnergy.net


--------------79CD1BE0C3701BCDE815D13C
Content-Type: text/plain; charset=iso-8859-7;
 name="SLA-17.Anaconda.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="SLA-17.Anaconda.txt"

        Synnergy Laboratories Advisory SLA-2000-17

NAME

       Anaconda Foundation Directory NULL byte vulnerability

AFFECTED

        Linux/UNIX with Anaconda Foundation Directory

SYNOPSIS

 Synnergy Labs has found a flaw within Anaconda Foundation Directory that allows a user to
 successfully traverse the filesystem on a remote host, allowing arbitary files/folders to
 be read.


DESCRIPTION

 The Anaconda Foundation Directory is a Yahoo style search engine based on the Open Directory
 project, www.dmoz.org. The Anaconda Foundation Directory allows you to dynamically integrate content into
 your site's own look and feel. This is the exact same content that Lycos features on their
 front page! Product pricing is $499 US.

 Anaconda Foundation Directory can be found at:http://anacondapartners.com/ap_afodpdemo.shtml

 Synnergy has recently discovered a flaw within Anaconda Foundation Directory that allows a remote
 user to traverse the filesystem as a request to the script using the $template=_some_file_. It is
 then possible to read any file contents with priviledges as the httpd.
 Although the script checks for the file extension (.htm, .html, .shtml, .stm) adding a trailing
 %00.html, (a NULL byte in URL encoded format), at the end of the request will force the script to
 open the file.

 Example:

 http://www.target.com/cgi-bin/apexec.pl?etype=odp&template=../../../../../../../../../etc/resolv.conf%00.html&passurl=/category/


 The above line if given will output the file contents of /etc/resolv.conf.

SOLUTION

  The vendors have been informed of the bug. It is advised to wait for the next patched version of
  Anaconda Foundation Directory to be released.


AUTHOR

        Discovery: pestilence @ synnergy.net


DISCLAIMER

        Synnergy Laboratories may not be held liable for the use or potential
        effects of these programs or advisories, nor the content contained
        within. Use them at your own risk.

COPYRIGHT

        Synnergy Laboratories -  www.synnergy.net (c) 1998-2000

--------------79CD1BE0C3701BCDE815D13C--