93622 2003-03-11  16:48  /66 rader/ Albert Puigsech Galicia <ripe@7a69ezine.org>
Importerad: 2003-03-11  16:48  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3903>
Ärende: Cross-Referencing Linux vulnerability
------------------------------------------------------------
Info.
-----

	+ Type:		To gain visibility

	+ Software:	Cross-Referencing Linux.
	 
	+ Verions:	until 0.9.2	

	+ Exploit:		Si.

	+ Autor:		Albert Puigsech Galicia

	+ Contact:	ripe@7a69ezine.org





Introduction.
-------------

	Cross-Referencing Linux, as known as LXR, allow read all
linux kernel source using a web navigator. The aplication is writen
using Perl languaje,  and convert to HTML all linux kernel
sources. For more information visit the project's oficial website on
http://lxr.linux.nu.



Description.
------------

	LXR suports to navigate through various kernel version. The
version is readed from 'v' variable, witch content are placed in the
path used to open the file without filter the '..' special directory.



Exploiting.
-----------

	In posible to read any file on systema as apache privileges
getting up on tree directory sending malicious data to 'v'
variable. Is necessary too, to finish the path with nul char to
ignore the rest of the path, so we add %00 at the end of 'v'.

	An example of exploit call may be:

	http://vulnerable/source?v=../../../../../../../etc/password%00



Patch.
------

	There aren't an oficial patch for a moment, but is too easy
to put a  regex filtering the '..' content when 'v' variable is read.


--
>=====================
> Albert Puigsech Galicia
>
> http://ripe.7a69ezine.org
>=====================
(93622) /Albert Puigsech Galicia <ripe@7a69ezine.org>/(Ombruten)