Date: Fri, 13 Oct 2000 01:27:24 +0300 From: pestilence <pestilence@SYNNERGY.NET> Subject: Anaconda Advisory To: BUGTRAQ@SECURITYFOCUS.COM This is a multi-part message in MIME format. --------------79CD1BE0C3701BCDE815D13C Content-Type: text/plain; charset=iso-8859-7 Content-Transfer-Encoding: 7bit Since this is a commercial program and i haven't received any ack, or info from the vendors i shall publish the advisory. Kostas Petrakis aka Pestilence pestilence@synnergy.net --------------79CD1BE0C3701BCDE815D13C Content-Type: text/plain; charset=iso-8859-7; name="SLA-17.Anaconda.txt" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="SLA-17.Anaconda.txt" Synnergy Laboratories Advisory SLA-2000-17 NAME Anaconda Foundation Directory NULL byte vulnerability AFFECTED Linux/UNIX with Anaconda Foundation Directory SYNOPSIS Synnergy Labs has found a flaw within Anaconda Foundation Directory that allows a user to successfully traverse the filesystem on a remote host, allowing arbitary files/folders to be read. DESCRIPTION The Anaconda Foundation Directory is a Yahoo style search engine based on the Open Directory project, www.dmoz.org. The Anaconda Foundation Directory allows you to dynamically integrate content into your site's own look and feel. This is the exact same content that Lycos features on their front page! Product pricing is $499 US. Anaconda Foundation Directory can be found at:http://anacondapartners.com/ap_afodpdemo.shtml Synnergy has recently discovered a flaw within Anaconda Foundation Directory that allows a remote user to traverse the filesystem as a request to the script using the $template=_some_file_. It is then possible to read any file contents with priviledges as the httpd. Although the script checks for the file extension (.htm, .html, .shtml, .stm) adding a trailing %00.html, (a NULL byte in URL encoded format), at the end of the request will force the script to open the file. Example: http://www.target.com/cgi-bin/apexec.pl?etype=odp&template=../../../../../../../../../etc/resolv.conf%00.html&passurl=/category/ The above line if given will output the file contents of /etc/resolv.conf. SOLUTION The vendors have been informed of the bug. It is advised to wait for the next patched version of Anaconda Foundation Directory to be released. AUTHOR Discovery: pestilence @ synnergy.net DISCLAIMER Synnergy Laboratories may not be held liable for the use or potential effects of these programs or advisories, nor the content contained within. Use them at your own risk. COPYRIGHT Synnergy Laboratories - www.synnergy.net (c) 1998-2000 --------------79CD1BE0C3701BCDE815D13C--