Vulnerable Program: Meta Tag Generator (meta.pl)
Platform          : UNIX
Company           : www.cgi-access.com
Impact            : Remote users can view arbitary files with httpd
privilidges
Found by          : slackette (warminx@null.rewted.org)
Date              : 14th November

Meta Tag Generator
__________________

As quoted from their site, "You can now offer your visitors a Meta Tag
Generator which will enable them to have their site's link ranked higher in search engine
results."

www.CGI-access.com's Meta Tag Generator, basically takes in user input for
a description or 
keywords pertaining to a user's site. It then creates specialised tags for
this process, 
before eventually the user submits their site to various search engines.


Vulnerability
_____________

Meta Tag Generator uses a hard coded physical path for its output.txt.
By editing the hidden variable on the html form, a user can view any file
on the system, 
having the priviledges as the UID of the httpd server.

The following variable within the HTML source shows this hard coded path
to the output.txt 
in it's VALUE tag.

<INPUT TYPE=HIDDEN NAME=TextFile
VALUE="/home/cgi-access/html/meta/output.txt">

Thus modifying this VALUE will cause the meta.pl form to output the
alternate file that is 
defined by the user. Of course this will allow a remote user to view files
such as 
/etc/passwd, if allowed read access to the file.

Solution
____________

Simplest solution is to use environment variables for the output.txt in
the meta.pl itself
so it does not display direct hardcoded links.

-= warminx@null.rewted.org =-