Title: W3C Amaya Templates Server Directory Traversal Vulnerability
Severity: MODERATE
Description:
W3C's Amaya is a WYSIWYG web browser and authoring program, developed primarily as an environment for demonstrating and implementing new web protocols and data formats. A separate package, the templates server, is designed for integration with an existing apache web server. This package provides the ability to retrieve templates from a server, for use in Amaya. One of the scripts used by the Amaya template server, sendtemp.pl, is vulnerable to a simple directory traversal and file retrieval vulnerability. The templates that can be retrieved by sendtempl.pl are designed to be limited to those stored in a template directory specified in the configuration file templatesconfig.pm. Improper syntax checking allows an attacker to bypass this restriction by supplying relative paths to the script via the "templ" parameter. Not only can this be used to view contents of files, but it can also be used to determine file system structure. If passed a path to a directory, it displays the contents of the directory file (similar to, for example, "cat /bin") which can be easily deciphered to determine directory and subdirectory structure. An example query is: http://host/cgi-bin/sendtemp.pl?templ=../../../../etc/passwd
Affected Products:
- W3C templates server for Amaya 1.1.0
References:
- Gerhard Mourani: Apache in a chroot jail
- W3C: Amaya Homepage
- W3C: Installing a template server for Amaya
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
