信息来源:
www.securiteam.com
Summary
WebLibs is "a pretty popular simple little Perl script made available from Darryl C. Burgdorf". Due to improper use of user provided information an attacker can cause the WebLibs CGI to disclose arbitrary files.
Details
Vulnerable Systems:
* WebLibs version 1.0 and prior
The security vulnerability as whoever is reading this might guess is caused by a lack of proper input validation when the weblibs.pl script reads in a static piece of sensitive data hidden in a hidden <INPUT> tag embedded inside the dynamically generated web page. This lack of input validation leads to a typical directory traversal attack (sometimes directory traversal isn't even needed if the web enviroment is setup in a particular way) that can be leveraged to read in non-executable text file from the vulnerable web server that the web server has permission. The line of Perl code that causes this vulnerability is...
open (FILE,"$FORM{'TextFile'}");
There may be a way to get local files to execute on the system or get the output from commands like ls -la.
Explotation:
To exploit this vulnerability the attacker/pen tester needs to first save a copy of the initial generated WebLibs page that asks for the users input so the script can generate the results for the user. Next after making a local copy of that page you need to look for the HTML <INPUT> tag that has a name="TextFile" attribute. For instance <INPUT type=hidden value="/some/path/to/the/weblibs/input.txt" name="TextFile">
Now simply edit the line to something other non executable server file like /etc/passwd or /etc/hosts etc to read sensitive private data from the vulnerable web server which may give the the person attacking a chance at gaining shell access to the web server. For example edit the HTML line mentioned above to something like <INPUT type=hidden value="/../../../../../etc/passwd" name="TextFile"> then save the file and load it up in your web browser, fill in all the form input fields hit the submit button and the vulnerable web server will return the contents of the text file requested if allowed.
Solution:
One possible solution is to not use the hidden <INPUT> tag in the generated pages from weblibs.pl and instead define $TextFile as a user installation variable that needs to be filled in only in the beginning by the script installer so the attacker can't easily manipulate it.
Additional information
The information has been provided by John Bissell.
