-------- Original Message --------
Subject: 	Re: Alkalay contribute.pl issue
Date: 	Sat, 08 Oct 2005 02:31:12 -0400
From: 	Sullo <sullo(at)cirt.net>
To: 	Steven M. Christey <coley(at)mitre.org>
References: 	<200509282155.j8SLt3GW010515(at)linus.mitre.org>



Steven M. Christey wrote:

>Sullo,
>
>I've just added the Alkalay issues you discovered to CVE.  I noticed
>in the source code for contribute.pl the following:
>
>  open(CONT,">",$cgiInput{contribdir} . "/" . $fname . ".txt");
>
>which suggests file overwriting, not reading, but OSVDB:19522 says
>that the impact is reading.
>
>There's also this:
>
>  open(TPL,$cgiInput{template});
>
>which suggests the template variable can be manipulated for reading,
>plus shell metacharacters.
>
>I haven't installed or checked the program for this but thought I'd
>mention it to see if you could clarify.
>
>The CVE description is currently based on contribdir for reading.
>

Hey Steve, sorry for the delay.

It looks like the 'contribdir' can also be used for arbitrary file
overwrite, which you caught. I keyed in on the file retrieval via
'template' and didn't get too much further, which is what osvdb-19522 is
for.  I created 19879 for the contribdir file overwrite.

[..]