SurgeLDAP Web Service user.cgi File Retrieval ------------------------------------------------------------------------
SUMMARY
<http://netwinsite.com/surgeldap/> SurgeLDAP is "an advanced easy to manage and install high performance LDAP v3 server. It supports any number of schemas, easy to add/modify existing schemas, integrated web based user access, and fast browser based administration tools. And all relevant RFC protocols LDAP v2, LDAP v3, HTTP. With its features, support and price it is more powerful and cost effective than any other solution. Compatible to suck data from existing LDAP servers for easy data population. With a build in web server allowing your users to search your LDAP, or administrate the database".
A flaw has been found in "user.cgi" that allow a remote user to retrieve a file on a system. By supplying the value "../" in "page" parameter you can read files outside the WWW root.
DETAILS
Vulnerable Systems: * SurgeLDAP version 1.0g
Example: Accessing the following URL will cause the server to return the content of the boot.ini file: http://[host]:6680/user.cgi?cmd=show&page=/../../../boot.ini
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
