CVE-2001-1242
CVSS7.5
发布时间 :2001-07-17 00:00:00
修订时间 :2008-09-10 15:10:01
NMCOS    

[原文]Directory traversal vulnerability in Un-CGI 1.9 and earlier allows remote attackers to execute arbitrary code via a .. (dot dot) in an HTML form.


[CNNVD]Steve Grimm Un-CGI 目录遍历漏洞(CNNVD-200107-106)

        CVE(CAN) ID: CAN-2001-1242
        
        
        
        Un-CGI是种免费CGI封装应用程序。其主要用于解析URL输入并提交给CGI应用程序,
        
        可以库方式使用,也可以单独执行。但是它没有过滤用户输入中的"../"序列,远程
        
        用户可以访问WEB SERVER所能访问的任意文件。该漏洞还可用于远程执行其他脚本。
        
        
        
        <* 来源:Khamba Staring (purrcat@edoropolis.org) *>
        
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:steve_grimm:un-cgi:1.7
cpe:/a:steve_grimm:un-cgi:1.8
cpe:/a:steve_grimm:un-cgi:1.1
cpe:/a:steve_grimm:un-cgi:1.0
cpe:/a:steve_grimm:un-cgi:1.6
cpe:/a:steve_grimm:un-cgi:1.9
cpe:/a:steve_grimm:un-cgi:1.4
cpe:/a:steve_grimm:un-cgi:1.2
cpe:/a:steve_grimm:un-cgi:1.6.1
cpe:/a:steve_grimm:un-cgi:1.5
cpe:/a:steve_grimm:un-cgi:1.6.2
cpe:/a:steve_grimm:un-cgi:1.3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1242
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1242
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200107-106
(官方数据源) CNNVD

- 其它链接及资源

http://www.iss.net/security_center/static/6846.php
(VENDOR_ADVISORY)  XF  uncgi-dot-directory-traversal(6846)
http://www.midwinter.com/~koreth/uncgi-changes.html
(UNKNOWN)  CONFIRM  http://www.midwinter.com/~koreth/uncgi-changes.html
http://archives.neohapsis.com/archives/bugtraq/2001-07/0287.html
(UNKNOWN)  BUGTRAQ  20010717 multiple vulnerabilities in un-cgi
http://www.securityfocus.com/bid/3056
(UNKNOWN)  BID  3056
http://archives.neohapsis.com/archives/bugtraq/2001-07/0349.html
(UNKNOWN)  BUGTRAQ  20010718 Re: [Khamba Staring <purrcat@edoropolis.org>] multiple vulnerabilities in un-cgi

- 漏洞信息

Steve Grimm Un-CGI 目录遍历漏洞
高危 输入验证
2001-07-17 00:00:00 2005-10-20 00:00:00
远程  
        CVE(CAN) ID: CAN-2001-1242
        
        
        
        Un-CGI是种免费CGI封装应用程序。其主要用于解析URL输入并提交给CGI应用程序,
        
        可以库方式使用,也可以单独执行。但是它没有过滤用户输入中的"../"序列,远程
        
        用户可以访问WEB SERVER所能访问的任意文件。该漏洞还可用于远程执行其他脚本。
        
        
        
        <* 来源:Khamba Staring (purrcat@edoropolis.org) *>
        
        

- 公告与补丁

        
        
        临时解决方法:
        
        
        
        下面这个补丁是Khamba Staring (purrcat@edoropolis.org)提供的
        
        临时解决方案
        
        
        
        --------------------------------------------------------------------------
        
        --- uncgi.c.old Thu Jul 12 12:42:09 2001
        
        +++ uncgi.c Thu Jul 12 13:24:35 2001
        
        @@ -60,6 +60,14 @@
        
        
        
        char *id = "@(#)uncgi.c 1.33 11/24/97";
        
        
        
        +
        
        +void four_oh_three()
        
        +{
        
        + printf("Content-Type: text/htm\n\n");
        
        + printf("You have no permission!\n");
        
        + exit(1);
        
        +}
        
        +
        
        /*
        
        * Convert two hex digits to a value.
        
        */
        
        @@ -373,6 +381,18 @@
        
        char *shell, *script;
        
        {
        
        char *argvec[4], **ppArg = argvec, *pz;
        
        + struct stat f_stat;
        
        +
        
        + if(stat(script, &f_stat) == -1)
        
        + html_perror("stat (something like this; dunno what html_perror does
        
        exactly)");
        
        +
        
        +/*
        
        +** this should probably be expanded a bit; maybe check for S_IXUSR, S_IXGRP
        
        +** and S_IXOTH or the likes. Maybe add extra checks for suid or let the
        
        +** shell figure that out?
        
        +*/
        
        + if(!(f_stat.st_mode & S_IXUSR))
        
        + html_perror("not executable");
        
        
        
        /*
        
        * "shell" really points to the character following the "#!",
        
        @@ -542,6 +562,21 @@
        
        #endif
        
        }
        
        
        
        +int check_path(char *evilpath)
        
        +{
        
        +#define RP_PATHLEN 1024
        
        + char resolved_path[RP_PATHLEN];
        
        +
        
        + if(!realpath(evilpath, resolved_path))
        
        + return(0); /* evil path cannot be read; this can't be good! */
        
        +
        
        + if(strncmp(SCRIPT_BIN, resolved_path, strlen(SCRIPT_BIN) - 1) == 0)
        
        + return(1); /* yay! */
        
        + else
        
        + return(0); /* boo! */
        
        +}
        
        +
        
        +
        
        #ifndef LIBRARY /* { */
        
        main(argc, argv)
        
        int argc;
        
        @@ -600,6 +635,11 @@
        
        strcpy(program, SCRIPT_BIN);
        
        strncat(program + sizeof(SCRIPT_BIN) - 1, pathinfo, proglen);
        
        
        
        +#ifndef VOID_SECURITY
        
        + if(!check_path(program))
        
        + four_oh_three();
        
        +#endif
        
        +
        
        #ifdef DEBUG
        
        printf("Program path is ''\n", program);
        
        fflush(stdout);
        
        @@ -700,6 +740,9 @@
        
        */
        
        argvec[0] = program;
        
        argvec[1] = NULL;
        
        +/*
        
        +** shouldn't we check for suid stuff here?!
        
        +*/
        
        execv(program, argvec);
        
        
        
        #ifdef __MSDOS__ /* { */
        
        
        
        厂商补丁:
        
        
        
        Steve Grimm Un-CGI 1.10已经解决了这个问题,我们建议使用此软件的用户升级到最新版本:
        http://www.midwinter.com/~koreth/uncgi.html

        

- 漏洞信息

8963
Un-CGI Double Dot Arbitrary File Access

- 漏洞描述

Unknown or Incomplete

- 时间线

2001-07-17 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 1.10 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Steve Grimm Un-CGI Directory Traversal Vulnerability
Input Validation Error 3056
Yes No
2001-07-17 12:00:00 2009-07-11 06:56:00
This vulnerability was discovered by Khamba Staring <purrcat@edoropolis.org> and submitted to BugTraq on July 17th, 2001.

- 受影响的程序版本

Steve Grimm Un-CGI 1.9
Steve Grimm Un-CGI 1.8
Steve Grimm Un-CGI 1.7
Steve Grimm Un-CGI 1.6.2
Steve Grimm Un-CGI 1.6
Steve Grimm Un-CGI 1.5
Steve Grimm Un-CGI 1.4
Steve Grimm Un-CGI 1.3
Steve Grimm Un-CGI 1.2
Steve Grimm Un-CGI 1.1
Steve Grimm Un-CGI 1.0
Steve Grimm Un-CGI 1.10

- 不受影响的程序版本

Steve Grimm Un-CGI 1.10

- 漏洞讨论

Un-CGI is a free CGI Wrapper application. Its function is to parse URL encoded input and translate it for use by CGI applications. It may be used as a library or as a stand-alone executable.

A problem exists with the Un-CGI executable. It does not filter '../' sequences from user-supplied input. Thus it is possible to access arbitrary web-readable files on the host, which may disclose sensitive information to remote attackers.

It is also possible to use this vulnerability to remotely execute other scripts located on the host.

- 漏洞利用

This issue can be exploited with a web browser.

- 解决方案

The vendor has released a fixed version which addresses this issue.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站