Hi everybody,
I just looked through some scans, and I found one problem over and over
again:
Is it a really good practice to write code like this? Can we really expect
the same directory structure everywhere?
"string(cgibin,"/apexec.pl?etype=odp&template=../../../../../../../../../etc
/passwd%00.html&passurl=/category/")"
(anaconda.nasl, htmlscript.nasl, ...)
SuSE 7:
/usr/local/httpd/cgi-bin
/usr/local/httpd/htdocs
Redhat 5:
/home/httpd/cgi-bin
/home/httpd/html
Redhat 7:
/var/www/cgi-bin
/var/www/html
Debian:
/var/www/
/usr/lib/cgi-bin/
Not to mention webhoster configs like:
/homepages/d/www.dee.com/htdocs
I hope you see what I mean - I suggest at least 4-5 variations (../, ../../,
etc).
A other problem is the trigger for some windows scans. I don't think we
should look for "c:\windows" - I suggest c:\boot.ini for WinNT/2K/XP and
c:\autoexec.bat for Win9x/ME.
Examples:
idq_dll.nasl: "/query.idq?CiTemplate=../../../../../winnt/win.ini";
Won't work with Windows XP (windows/win.ini)
Other opinions?
Regards,
Felix Huber
-------------------------------------------------------
Felix Huber, Security Consultant, Webtopia
Guendlinger Str.2, 79241 Ihringen - Germany
huberfelix@webtopia.de (07668) 951 156 (phone)
http://www.webtopia.de (07668) 951 157 (fax)
(01792) 205 724 (mobile)
-------------------------------------------------------
I just looked through some scans, and I found one problem over and over
again:
Is it a really good practice to write code like this? Can we really expect
the same directory structure everywhere?
"string(cgibin,"/apexec.pl?etype=odp&template=../../../../../../../../../etc
/passwd%00.html&passurl=/category/")"
(anaconda.nasl, htmlscript.nasl, ...)
SuSE 7:
/usr/local/httpd/cgi-bin
/usr/local/httpd/htdocs
Redhat 5:
/home/httpd/cgi-bin
/home/httpd/html
Redhat 7:
/var/www/cgi-bin
/var/www/html
Debian:
/var/www/
/usr/lib/cgi-bin/
Not to mention webhoster configs like:
/homepages/d/www.dee.com/htdocs
I hope you see what I mean - I suggest at least 4-5 variations (../, ../../,
etc).
A other problem is the trigger for some windows scans. I don't think we
should look for "c:\windows" - I suggest c:\boot.ini for WinNT/2K/XP and
c:\autoexec.bat for Win9x/ME.
Examples:
idq_dll.nasl: "/query.idq?CiTemplate=../../../../../winnt/win.ini";
Won't work with Windows XP (windows/win.ini)
Other opinions?
Regards,
Felix Huber
-------------------------------------------------------
Felix Huber, Security Consultant, Webtopia
Guendlinger Str.2, 79241 Ihringen - Germany
huberfelix@webtopia.de (07668) 951 156 (phone)
http://www.webtopia.de (07668) 951 157 (fax)
(01792) 205 724 (mobile)
-------------------------------------------------------