Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Nessus>
  3. plugins
Questions
huberfelix at webtopia
Dec 29, 2001, 9:28 AM
Post #1 of 3 (735 views)
Permalink
Hi everybody,

I just looked through some scans, and I found one problem over and over
again:

Is it a really good practice to write code like this? Can we really expect
the same directory structure everywhere?

"string(cgibin,"/apexec.pl?etype=odp&template=../../../../../../../../../etc
/passwd%00.html&passurl=/category/")"
(anaconda.nasl, htmlscript.nasl, ...)


SuSE 7:
/usr/local/httpd/cgi-bin
/usr/local/httpd/htdocs

Redhat 5:
/home/httpd/cgi-bin
/home/httpd/html

Redhat 7:
/var/www/cgi-bin
/var/www/html

Debian:
/var/www/
/usr/lib/cgi-bin/

Not to mention webhoster configs like:
/homepages/d/www.dee.com/htdocs

I hope you see what I mean - I suggest at least 4-5 variations (../, ../../,
etc).


A other problem is the trigger for some windows scans. I don't think we
should look for "c:\windows" - I suggest c:\boot.ini for WinNT/2K/XP and
c:\autoexec.bat for Win9x/ME.

Examples:
idq_dll.nasl: "/query.idq?CiTemplate=../../../../../winnt/win.ini";
Won't work with Windows XP (windows/win.ini)

Other opinions?

Regards,
Felix Huber


-------------------------------------------------------
Felix Huber, Security Consultant, Webtopia
Guendlinger Str.2, 79241 Ihringen - Germany
huberfelix@webtopia.de (07668) 951 156 (phone)
http://www.webtopia.de (07668) 951 157 (fax)
(01792) 205 724 (mobile)
-------------------------------------------------------
Re: Questions [ In reply to ]
sq at cirt
Dec 29, 2001, 9:45 AM
Post #2 of 3 (713 views)
Permalink
Having too many "../" in a path should not be problem, since on a Unix host the "lowest" you can get is just "/".

So if I'm in "/tmp" and execute "cd ../../../../" I am now in "/", just as if I'd only typed "cd ..". Having a bunch of "../" items in the path SHOULD ensure we end up back in / (no matter where we started) for any check, without having to test the CGI multiple times.

Is there any file that exists on all versions of Windows that could be tested for? That would certainly add some efficiency to a number of CGI checks.

-Chris


>Can we really expect
> the same directory structure everywhere?
>
"string(cgibin,"/apexec.pl?etype=odp&template=../../../../../../../../../etc
> /passwd%00.html&passurl=/category/")"
> (anaconda.nasl, htmlscript.nasl, ...)
>
Re: Questions [ In reply to ]
sq at cirt
Dec 29, 2001, 8:07 PM
Post #3 of 3 (713 views)
Permalink
A friend tells me XP has autoexec.bat (and the others listed by Andrew) in C:\ but they're all 0 KB by default. My Win2k Pro's autoexec.bat is also 0 KB.


> Right, but many tests only use 3 or 4 ../'s - however I updated 50 Scans
> (last CVS versions).
>
> Btw: Windows Scans now look for C:\autoexec.bat (Trigger Word "SET")
>
>
> Regards,
> Felix Huber
>
>

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal