Global InterSec LLC
http://www.globalintersec.com

GIS Advisory ID:	2001021302
Changed:		12/12/2001
Author:			research@globalintersec.com
Reference:		http://www.globalintersec.com/adv/sendtemp-2001021302.txt

Summary:

   sendtemp.pl - Part of Amaya, WC3's authoring tool is
   vulnerable to a directory traversal type attack.

Impact:

   A remote attacker may read files on a system as the
   user the httpd daemon is running as.

Description:

   When the `templ` argument is parsed to sendtemp.pl
   a link to the chosen style sheet (the parameter),
   and a META field containing the publications URL 
   of the new file are added to a template and shown.

   Due to a lack or error checking of the argument 
   parsed to the templ argument its possible to traverse
   back past the template directory and read arbitrary
   files within the system with the permissions of the
   user the http daemon is running as.

Scope for attack:
 
   Scope of attack is determined by the permissions of
   the user the http daemon is running as on said host.
   Under certain conditions, the sendtemp vulnerability
   may lead to a remote attacker being able to read 
   system password files and other data which could lead
   to an attacker gaining further access to a host. 
   

Work around:

   No sufficient work-around is available.
   Please upgrade sendtemp.pl from the Amaya webpage,
   linked from WWW.WC3.ORG.

Credit:

   Thanks to d0tslash, a GIS researcher for reporting this
   vulnerability. Further research into Amaya was carried 
   out by the GIS vulnerability research team.

Vendor Solutions:

   WC3 have been notified and have fixed the problem in
   their latest release.

Exploits (Proof of concept):

   http://vulnhost/cgi-bin/sendtemp.pl?templ=../../etc/passwd

Legal:

   This advisory is the intellectual property of Global InterSec LLC 
   but may be freely distributed with the conditions that:

	a) no fee is charged 
	b) appropriate credit is given.
   
(c) Global InterSec LLC 2001