Synnergy Laboratories Advisory SLA-2000-17 NAME Anaconda Foundation Directory NULL byte vulnerability AFFECTED Linux/UNIX with Anaconda Foundation Directory SYNOPSIS Synnergy Labs has found a flaw within Anaconda Foundation Directory that allow s a user to successfully traverse the filesystem on a remote host, allowing arbitary files /folders to be read. DESCRIPTION The Anaconda Foundation Directory is a Yahoo style search engine based on the Open Directory project, www.dmoz.org. The Anaconda Foundation Directory allows you to dynamic ally integrate content into your site's own look and feel. This is the exact same content that Lycos featu res on their front page! Product pricing is $499 US. Anaconda Foundation Directory can be found at:http://anacondapartners.com/ap_a fodpdemo.shtml Synnergy has recently discovered a flaw within Anaconda Foundation Directory t hat allows a remote user to traverse the filesystem as a request to the script using the $template =_some_file_. It is then possible to read any file contents with priviledges as the httpd. Although the script checks for the file extension (.htm, .html, .shtml, .stm) adding a trailing %00.html, (a NULL byte in URL encoded format), at the end of the request will force the script to open the file. Example: http://www.target.com/cgi-bin/apexec.pl?etype=odp&template=../../../../../../. ./../../etc/resolv.conf%00.html&passurl=/category/ The above line if given will output the file contents of /etc/resolv.conf. SOLUTION The vendors have been informed of the bug. It is advised to wait for the next patched version of Anaconda Foundation Directory to be released. AUTHOR Discovery: pestilence @ synnergy.net DISCLAIMER Synnergy Laboratories may not be held liable for the use or potential effects of these programs or advisories, nor the content contained within. Use them at your own risk. COPYRIGHT Synnergy Laboratories - www.synnergy.net (c) 1998-2000