Directory traversal vulnerability in zml.cgi allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
Remote attackers can exploit a directory traversal vulnerability in zml.cgi to read arbitrary files on the server. This vulnerability allows attackers to bypass security restrictions and potentially gain access to sensitive information, leading to data breaches and system compromise.
Step 1: Payload Delivery: The attacker crafts a malicious HTTP request targeting the zml.cgi script. The request includes a file parameter with a directory traversal payload, such as file=../../../../etc/passwd.
Step 2: Request Processing: The zml.cgi script receives the HTTP request and extracts the value of the file parameter.
Step 3: Path Construction: The script constructs a file path by concatenating the base directory path with the attacker-supplied file parameter.
Step 4: File Access: The script attempts to open and read the file specified by the constructed path.
Step 5: Information Disclosure: Because of the directory traversal, the script successfully accesses the targeted file (e.g., /etc/passwd) and returns its contents in the HTTP response, disclosing sensitive information to the attacker.
The vulnerability stems from insufficient input validation in the zml.cgi script. Specifically, the script fails to properly sanitize the file parameter, which is used to specify the file to be accessed. By injecting a sequence of .. (dot-dot) characters in the file parameter, an attacker can navigate up the directory structure and access files outside the intended web root. The root cause is a lack of proper path normalization and input validation, allowing for path traversal. The script likely directly concatenates the user-supplied file parameter with a base directory path without checking for or removing directory traversal sequences. This allows an attacker to control the file path and read sensitive files such as configuration files, password files, or other sensitive data.