SecurityFocus BUGTRAQ Mailing List: BugTraqLink Number One Link Number One Link Number Two Link Number Two Link Number One Link Number One Link Number Two Link Number Two Entire Site Advisories Calendar Columnists Elsewhere Guest Feature Infocus Library Links Mailing Lists (all) -- BUGTRAQ -- FOCUS-IDS -- FOCUS-IH -- FOCUS-LINUX -- FOCUS-MS -- FOCUS-SUN -- FOCUS-VIRUS -- FORENSICS -- INCIDENTS -- PEN-TEST -- SEC JOBS -- SF NEWS -- VULN-DEV News Products Services Tools Vulns BUGTRAQ ARCHIVE [ Message Index ] [ Thread Index ][ Reply ] [ prev Msg by Date ][ next Msg by Date ] To: BugTraq Subject: EORF2003-04: sbox path disclosure problem Date: Sep 25 2003 5:35PM Author: Julio e2fsck Cesar Message-ID: <20030925173535.6231.qmail@sf-www2-symnsj.securityfocus.com> --------------------------- EightOne Research Facility --------------------------- EORF2003-04 (security advisory) Title: sbox has a information disclosure problems Author: Julio "e2fsck" Cesar Vendor: http://stein.cshl.org/WWW/software/sbox Versions: sbox 1.04 and later Date: 18 Sep 2003 1. Description sbox is a CGI wrapper that allows CGIs to be executed more safely. What sbox does is "box" the CGI script into a secure enviroment and run it. EightOne Research Facility has discovered a path disclosure problem in sbox, which allows malicious users to know the physical path of the server and the username of the domain. 2. Details When a user makes a request to /cgi-bin directory, sbox intermediates this query and executes the CGI script in a restricted enviroment, but before this execution, it makes some checking such as CGI scripts in world-writable directories. When a query to a non-existent script in /cgi-bin is made, sbox display an error that reveals some information that shouldn't be revealed, such as physical path. Here is an example: http://your.vulnerable.site/cgi-bin/non-existent.pl and look what we get -- snip -- Sbox Error The sbox program encountered an error while processing this request. Please note the time of the error, anything you might have been doing at the time to trigger the problem, and forward the information to this site's Webmaster (root your vulnerable site) Stat failed. /home/jcf/cgi-bin/a.pl: No such file or directory sbox version 1.04 $Id: sbox.c,v 1.9 2000/03/28 20:12:40 lstein Exp $ -- unsnip -- It revealed the username of the domain and the physical path of cgi-bin directory. And is possible to use the gotten username to make brute force attacks to guess the user's password to obtain unauthorized access. 3. Solution Stein Laboratory has been contacted but I haven't received any reply yet. Thanks Despise for being this cool guy and helped us when we needed. Sorry if there are english mistakes. Regards, members of EightOne. EightOne Research Facility - http://eightone.mafiadodiva.org Recife, PE, Brazil Want to link to this message? Use this URL: Disclaimer, Terms & Conditions About this List Featured Lists: ARIS Users bugtraq bugtraq-es bugtraq-french NEW bugtraq-jp firewalls focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics forensics-es honeypots incidents libnet pen-test secevents secpapers secprog sectools secureshell security-basics security-management NEW securityjobs vpn vuln-dev webappsec Newsletters: sf-news ms-secnews linux-secnews [ more . . . ] Privacy Statement Copyright © 1999-2003 SecurityFocus