[VIM] Fwd: Menu Manager Mod for WebAPP - No Input Filtering

Web-APP webapp at web-app.org
Sun Jul 15 21:33:58 UTC 2007


Incidentally, I came across the original thread where On was concerned with
this issue, at
http://www.web-app.org/cgi-bin/index.cgi?action=forum&board=security101&op=display&num=8837 .
At the time I was exhausted script-wise and deprived life-wise from
producing 0.9.9.3 which was WebAPP's biggest set of changes and additions
ever done in one version. Since the security team had considered the issue
and dismissed it as not a security problem, I too overlooked it, apparently,
following that thread.

The menu manager was originally "Jack Deth's" addition. Maybe he knows a
little more about this suspected security loophole. On was against adding
it, but his protests came along after the release had already been made. And
then they were dismissed by "Mossad" and then On.

Is there still a valid issue here? If so, anybody care to share it with us
so we can make any necessary patches?

http://www.web-app.org WebAPP
The "who can make a better WebAPP Web Automated Perl Portal" project.


----- Original Message ----- 
From: "str0ke" <str0ke at milw0rm.com>
To: "Vulnerability Information Managers" <vim at attrition.org>
Sent: Saturday, July 14, 2007 4:13 PM
Subject: [VIM] Fwd: Menu Manager Mod for WebAPP - No Input Filtering


> The plot thickens?
>
> ---------- Forwarded message ----------
> From: info at web-app.net <info at web-app.net>
> Date: 14 Jul 2007 04:56:20 -0000
> Subject: Re: Menu Manager Mod for WebAPP - No Input Filtering
> To: bugtraq at securityfocus.com
>
>
> The issue is not yet secure at http://www.web-app.org
>
> 1.) Guests can edit files on the server by:
> http://victim-domain/cgi-bin/index.cgi?action=menu
> - There are approximately 35 webapporg sites of version 0.9.9.7
> defaced with the issue. So it couldn't possibly be fixed for 0.9.9.7
> as claimed above.
>
> 2.) Members/guests can add $values in the menu form. Allowing $ is
> madness, its it can be exploited to run direct cmd on the Perl shell.
>
> I tried posting a message about it before here but  it was unnoticed
> and never published.
>
> Kind regards
> On Elpeleg
> WebAPP
>



More information about the VIM mailing list