___                 ___                     __
\_ |__ _____     __| _/______  ____   _____/  |_
 | __ \\__  \   / __ |\_  __ \/  _ \ /  _ \   __\
 | \_\ \/ __ \_/ /_/ | |  | \(  <_> |  <_> )  |
 |___  (____  /\____ | |__|   \____/ \____/|  | Security Group
     \/     \/      \/                      ||
Security Advisory 2005-#0x04                \/
http://www.badroot.org


Author ........  Spher3
Date ..........  27-06-2005
Product .......  AGB (show.pl)
Type ..........  Directory traversal


o Info:
============================
This script is diffused in Germans sites of e-shopping.

o Description:
===========================
In this code there isn't a control in cgi query.
This function opens show.pl?cv=num_of_file like show?cv=9323.
Without a control you can open system file with "../../../" (directory traversl vulnerability).
But the file that will be open is "num_of_file.html" and not "num_of_file". 
Perl offers to us "%00" that can render the extension of file (.html/.htm) null.

o Proof of Concept:
===========================
http://www.somesite.org/cgi-bin/go/show/show.pl?cv=../../../../../../../../etc/passwd%00

o Contacts:
===========================
Mail ....  spher3@fatalimpulse.net
Http ....  www.badroot.org
Irc .....  irc.us.azzurra.org ~ #Badroot
