Vulnerable Program: Meta Tag Generator (meta.pl) Platform : UNIX Company : www.cgi-access.com Impact : Remote users can view arbitary files with httpd privilidges Found by : slackette (warminx@null.rewted.org) Date : 14th November Meta Tag Generator __________________ As quoted from their site, "You can now offer your visitors a Meta Tag Generator which will enable them to have their site's link ranked higher in search engine results." www.CGI-access.com's Meta Tag Generator, basically takes in user input for a description or keywords pertaining to a user's site. It then creates specialised tags for this process, before eventually the user submits their site to various search engines. Vulnerability _____________ Meta Tag Generator uses a hard coded physical path for its output.txt. By editing the hidden variable on the html form, a user can view any file on the system, having the priviledges as the UID of the httpd server. The following variable within the HTML source shows this hard coded path to the output.txt in it's VALUE tag. <INPUT TYPE=HIDDEN NAME=TextFile VALUE="/home/cgi-access/html/meta/output.txt"> Thus modifying this VALUE will cause the meta.pl form to output the alternate file that is defined by the user. Of course this will allow a remote user to view files such as /etc/passwd, if allowed read access to the file. Solution ____________ Simplest solution is to use environment variables for the output.txt in the meta.pl itself so it does not display direct hardcoded links. -= warminx@null.rewted.org =-