From advisories@qDefense.com Wed Jul 18 04:53:27 2001 From: qDefense Advisories X-Sender: (Unverified) To: bugtraq@securityfocus.com Date: Sun, 15 Jul 2001 18:45:18 -0400 Subject: Interactive Story File Disclosure Vulnerability [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] Interactive Story File Disclosure Vulnerability qDefense Advisory Number QDAV-2001-7-3 Product: Interactive Story Vendor: Valerie Mates (http://www.valeriemates.com) Severity: Remote; Attacker may read arbitrary file Versions Affected: Version 1.3 Vendor Status: Vendor contacted; has released new version, 1.4, which is not vulnerable Cause: Failure to validate input In Short: Interactive Story does not properly validate the contents of a hidden field entitled "next". By setting that field to the name of a file, and using double dots and poison nulls, an attacker can cause Interactive Story to display the contents of any file. The current version of this document is available at http://qDefense.com/Advisories/QDAV-2001-7-3.html. Details: Interactive Story contains the following lines: $nextfile = "$story_dir/$in{'next'}.txt"; ... elsif ((-e $nextfile) && ($in{'submit'} eq "")) { ... while () { print $_; } ... } If an attacker sets the "next" field to something like ../../../../../../../../../../etc/passwd%00, Interactive Story will open and display the password file. This technique can be used to display any file that the web server has permission to read. Solution: Valerie Mates has released an upgrade, version 1.4, which strips special characters from the "next" field. © 2001 qDefense Information Security Consultants. qDefense is a subsidiary of Computer Modeling Corp. This document may be reproduced, in whole or in part, provided that no modifications are made and that proper credit is given. Additionally, if it is made available through hypertext, it must be accompanied by a link to the qDefense web site, http://qdefense.com. qDefense Advisories advisories@qDefense.com qDefense - DEFENDING THE ELECTRONIC FRONTIER qDefense offers a wide variety of security services See http://qDefense.com/Services