|[Home] [Credit Search] [Category Browser] [Staff Roll Call]||The LINUX.COM Article Archive|
|Originally Published: Wednesday, 8 September 1999||Author: Quentin Cregan|
|Published to: news_enhance_security/Security News||Page: 1/1 - [Printable]|
w3-msql 2.0.11 may run arbritrary code for outsiders
In a post to BugTraq, it was suggested that w3-mysql is vulnerable to handing over files from the system, and potentially executing code courtesy of a buffer overflow.
|Page 1 of 1|
i have just installed the evaluation version of the last w3-msql release (2.0.11) with its new security mechanism. There is effectively this new option "Force_Suffix" in msql.conf that force msql server to take its documents inside its private root instead of server's one.
The cgi is actually still vulnerable because of numerous lacks in sources (take a look at storeArgs() in w3-msql.c). It's possible with a buffer overflow attack to gain web server priviledge and modify remotly server content.
www.victim.com is the target site.
with about a 200 chars length filename, the server response is "Internal Server Error" and the cgi produce a core file. With a carrefully forged string including code instructions, it's possible to force remote server to execute arbitrary code.
i'm going to write an exploit.
Have a nice day
------- Gregory Duchemin - email@example.com Security Engineer NEUROCOM http://www.neurocom.com/ 179/181 avenue Charles de Gaulle 92200 Neuilly Sur Seine Tel: 01.41.43.84.84 Fax: 01.41.43.84.80
|Page 1 of 1|