[[ RFP's note: I have verified this vulnerability in the current version on the site indicated below. The most severe problem would be that the "$input{'cat'}.dat" open in banner.cgi would allow an attacker to run commands (the 'cat' parameter is not double-checked/filtered in any way). The other CGIs are less severe because they (should) be kept out of access by the public, since they let you admin the whole banner system without any native auth. ]] ---------------------------------------------------------------------------- PRODUCT ******* AdStreamer http://www.sha-la-la.com/adstreamer/ DESCRIPTION *********** This software have many an open call that can exploited with Perl tricks like ../, %00, |, etc. bash-2.05$ egrep 'open|system|exec|eval' *.cgi addbanner.cgi:# This script is apart of the Banner Manager system. It will add banners addbanner.cgi:open(HEADERFILE, "banner/$thebannercat.dat") || die("error opening the file $thebannercat.dat"); addbanner.cgi:open(HEADERFILE, ">banner/$thebannercat.dat") || die("error opening the file $thebannercat.dat"); addbanner.cgi: open(HEADERFILE, ">>banner/$logfile") || die("error opening the file $logfile"); addbanner.cgi: open(HEADERFILE, ">banner/$logfile") || die("error opening the file $logfile"); banner.cgi:# This script is apart of the Banner Manager system. It adds banner banner.cgi:open(HEADERFILE, "$input{'cat'}.dat") || die("error opening the file $input{'cat'}.dat"); banner.cgi:open(HEADERFILE, ">$input{'cat'}.dat") || die("error opening the file $input{'cat'}.dat"); banner.cgi: open(HEADERFILE, ">>$logfile") || die("error opening the file $logfile"); banner.cgi: open(HEADERFILE, ">$logfile") || die("error opening the file $logfile"); bannereditor.cgi:# This script is apart of the Banner Manager system. It preforms banner bannereditor.cgi:open(HEADERFILE, "titles.dat") || die("error opening the file titles.dat"); bannereditor.cgi: open(HEADERFILE, "$input{'cat'}.dat") || die("error opening the file $input{'cat'}.dat"); bannereditor.cgi: open(HEADERFILE, ">$input{'cat'}.dat") || die("error opening the file $input{'cat'}.dat"); bannereditor.cgi: open(HEADERFILE, "$input{'cat'}.dat") || die("error opening the file $input{'cat'}.dat"); bannereditor.cgi: open(HEADERFILE, "categories.dat") || die("error opening the file categories.dat"); bannereditor.cgi: open(HEADERFILE, ">categories.dat") || die("error opening the file categories.dat"); bannereditor.cgi: open(HEADERFILE, ">ref.dat") || die("error opening the file ref.dat"); bannereditor.cgi: open(HEADERFILE, ">titles.dat") || die("error opening the file titles.dat"); bannereditor.cgi: open(HEADERFILE, "categories.dat") || die("error opening the file categories.dat"); bannereditor.cgi: open(HEADERFILE, "$cat.dat") || die("error opening the file $cat.dat"); bannereditor.cgi: open(HEADERFILE, ">$cat.dat") || die("error opening the file $cat.dat"); bannereditor.cgi: open(HEADERFILE, "categories.dat") || die("error opening the file categories.dat"); bannereditor.cgi: open(HEADERFILE, "$cat.dat") || die("error opening the file $cat.dat"); bannereditor.cgi: open(HEADERFILE, ">>ref.dat") || die("error opening the file ref.dat"); bannereditor.cgi: open(HEADERFILE, ">>titles.dat") || die("error opening the file titles.dat"); bannereditor.cgi: open(HEADERFILE, "categories.dat") || die("error opening the file categories.dat"); bannereditor.cgi: open(HEADERFILE, "categories.dat") || die("error opening the file categories.dat"); bannereditor.cgi: open(HEADERFILE, "$cat.dat") || die("error opening the file $cat.dat"); bannereditor.cgi: open(HEADERFILE, ">>$cat.dat") || die("error opening the file $cat.dat"); bannereditor.cgi: open(HEADERFILE, ">$input{'newcat'}.dat") || die("error opening the file $input{'newcat'}.dat"); bannereditor.cgi: open(HEADERFILE, ">>categories.dat") || die("error opening the file categories.dat"); bannereditor.cgi: open(HEADERFILE, "categories.dat") || die("error opening the file categories.dat"); bannereditor.cgi: open(HEADERFILE, "$cat.dat") || die("error opening the file $cat.dat"); bannereditor.cgi: open(HEADERFILE, "categories.dat") || die("error opening the file categories.dat"); bannereditor.cgi: open(HEADERFILE, "ref.dat") || die("error opening the file ref.dat"); jump.cgi:# This script is apart of the Banner Manager system. It recieves every jump.cgi:open(HEADERFILE, "ref.dat") || die("error opening the file ref.dat"); jump.cgi: open(HEADERFILE, ">>$logfile") || die("error opening the file $logfile"); jump.cgi: open(HEADERFILE, ">$logfile") || die("error opening the file $logfile"); report2.cgi:# This script is apart of the Banner Manager system. It generates reports report2.cgi:open(HEADERFILE, "titles.dat") || die("error opening the file titles.dat"); report2.cgi:opendir(LOGDIR, ".") || die("error"); report2.cgi: open(HEADERFILE, "$file.log") || die("error opening the file $file.log"); report2.cgi:opendir(LOGDIR, ".") || die("error"); report2.cgi: open(HEADERFILE, "$file.log") || die("error opening the file $file.log"); report2.cgi:opendir(LOGDIR, ".") || die("error"); report2.cgi: open(HEADERFILE, "$file.log") || die("error opening the file $file.log"); report2.cgi:open(HEADERFILE, "categories.dat") || die("error opening the file categories.dat"); report2.cgi:opendir(LOGDIR, ".") || die("error"); report2.cgi:open(HEADERFILE, "categories.dat") || die("error opening the file categories.dat"); report2.cgi:open(HEADERFILE, "$input{'log'}") || die("error opening the file $input{'log'}"); report2.cgi:open(HEADERFILE, "$input{'log'}") || die("error opening the file $input{'log'}"); report2.cgi:open(HEADERFILE, "$input{'log'}") || die("error opening the file $input{'log'}"); report2.cgi:opendir(LOGDIR, ".") || die("error"); report2.cgi:open(HEADERFILE, "categories.dat") || die("error opening the file categories.dat"); VENDOR NOTIFICATION ******************* Vendor is informed now with public. Not to worry, since malicious people don't read Bugtraq. GOBBLES LABS GOBBLES@hushmail.com http://www.bugtraq.org/