BNCweb is a set of CGI scripts developed at the University of Zürich as a user-friendly query interface to the British National Corpus. It allows linguists to retrieve lexical, grammatical and textual data from this 100 million word collection of english texts using a web browser. For more information see http://homepage.mac.com/bncweb/home.html BNCweb has been found prone to a file dicsclosure vulnerability that allows attackers to read any file accessible to the CGI user (typically "wwwrun") anywhere in the server's file systems by supplying a trivially manipulated URL to the query script. This includes web web server and system password files, opening the door for further compromises. However, exploitation requires access to the script itself, which in a correctly installed system is protected by the web server's access control mechanism, thus only registered users are able to carry out an attack. The reason for this vulnerability is a piece of obsolete code left over from a development version. As a quick fix, the author suggests removing lines 23 to 25 in the BNCquery.pl script. This has no effect on the script's normal functionality.
