CVE-2000-0180
CVSS5.0
发布时间 :2000-03-14 00:00:00
修订时间 :2008-09-05 16:20:20
NMCOE    

[原文]Sojourn search engine allows remote attackers to read arbitrary files via a .. (dot dot) attack.


[CNNVD]Sojourn搜索引擎CGI程序泄露文件漏洞(CNNVD-200003-027)

        
        Sojourn是一个商业搜索引擎软件。主页是http://www.generationterrorists.com/sojourn_superuser.html
        Sojourn存在一个安全问题,可导致系统文件内容泄露。
        在正运行这个软件的Web服务器上,任何Web Server有权读取的文件都可能泄露给远程攻击者。Sojourn软件可以将一个Web站点分类组织,这些类别可以通过sojourn.cgi(Perl脚本)来访问,通常是用下列请求实现:
        http ://target/cgi-bin/sojourn.cgi?cat=categoryname
        每一类都有一个与categoryname(类别名)对应的.txt文件.这个程序将在'cat'变量中的内容后面增加'.txt'扩展名,然后显示它的内容。然而这个程序允许攻击者在'cat'变量内容中输入'../'字符串,因此,攻击者可以访问Web服务器上任意的.txt文件(如果Webserver有读权限的话),这个限制也能很容易的被绕过,攻击者只要在所要求的文件后面加上%00,就会屏蔽掉后面所加的.txt后缀。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0180
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0180
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200003-027
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/1052
(VENDOR_ADVISORY)  BID  1052
http://archives.neohapsis.com/archives/ntbugtraq/2000-q1/0201.html
(VENDOR_ADVISORY)  NTBUGTRAQ  20000313 SOJOURN Search engine exposes files
http://xforce.iss.net/static/4197.php
(UNKNOWN)  XF  sojourn-file-read(4197)

- 漏洞信息

Sojourn搜索引擎CGI程序泄露文件漏洞
中危 未知
2000-03-14 00:00:00 2005-05-02 00:00:00
远程  
        
        Sojourn是一个商业搜索引擎软件。主页是http://www.generationterrorists.com/sojourn_superuser.html
        Sojourn存在一个安全问题,可导致系统文件内容泄露。
        在正运行这个软件的Web服务器上,任何Web Server有权读取的文件都可能泄露给远程攻击者。Sojourn软件可以将一个Web站点分类组织,这些类别可以通过sojourn.cgi(Perl脚本)来访问,通常是用下列请求实现:
        http ://target/cgi-bin/sojourn.cgi?cat=categoryname
        每一类都有一个与categoryname(类别名)对应的.txt文件.这个程序将在'cat'变量中的内容后面增加'.txt'扩展名,然后显示它的内容。然而这个程序允许攻击者在'cat'变量内容中输入'../'字符串,因此,攻击者可以访问Web服务器上任意的.txt文件(如果Webserver有读权限的话),这个限制也能很容易的被绕过,攻击者只要在所要求的文件后面加上%00,就会屏蔽掉后面所加的.txt后缀。
        

- 公告与补丁

        厂商补丁:
        Generation Terrorists Designs & Concepts
        ----------------------------------------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        
        http://www.generationterrorists.com/sojourn_superuser.html

- 漏洞信息 (19808)

Generation Terrorists Designs & Concepts Sojourn 2.0 File Access Vulnerability (EDBID:19808)
cgi remote
2000-03-14 Verified
0 Cerberus Security Team
N/A [点击下载]
source: http://www.securityfocus.com/bid/1052/info

Any file that the webserver has read access to can be read on a server running the Sojourn search engine.

The Sojourn software includes the ability to organize a website into categories. These categories can then be accessed via the sojourn.cgi Perl script. This is done by making a request for a URL like:

http ://target/cgi-bin/sojourn.cgi?cat=categoryname

Each category has an associated .txt file based on the category name. The program appends the .txt extension onto the contents of the 'cat' variable. However, the program will accept and follow the '../' string in the variable contents, allowing read access to any .txt file the webserver can read.

This restriction can be bypassed by appending %00 to the end of the requested file, which will prevent the .txt extension from being used in the filename.

http ://target/cgi-bin/sojourn.cgi?cat=../../../../../../etc/passwd%00		

- 漏洞信息

265
Sojourn Search Engine sojourn.cgi cat Parameter Traversal Arbitrary File Access
Remote / Network Access Information Disclosure
Loss of Confidentiality Workaround, Upgrade
Exploit Public Third-party Verified

- 漏洞描述

This host is running the 'sojourn.cgi' CGI program. This CGI contains a well-known security flaw that lets anyone read arbitrary files with the privileges of the http daemon (usually root or nobody). An attacker could use this to gain information about this host.

- 时间线

2000-03-13 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 2.01 or higher, as it has been reported to fix this vulnerability. It is also possible to temporarily work around the flaw by implementing the following workaround: Please remove 'sojourn.cgi' from the CGI-BIN directory on this host.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站