Directory traversal vulnerability in quiz.cgi for Mike Spice Quiz Me! before 0.6 allows remote attackers to write arbitrary files via .. (dot dot) sequences in the quiz parameter.
Mike Spice Quiz Me! versions prior to 0.6 are vulnerable to a critical directory traversal attack. This allows a remote attacker to write arbitrary files to the server, potentially leading to complete system compromise and remote code execution by placing malicious scripts in accessible locations. Successful exploitation grants the attacker full control over the web server and potentially the underlying operating system.
Step 1: Payload Delivery: The attacker crafts a malicious HTTP request to quiz.cgi that includes a crafted quiz parameter. This parameter contains a path that uses .. sequences to navigate the server's file system, combined with a filename and the desired content to be written.
Step 2: Path Manipulation: The quiz.cgi script receives the malicious request and processes the quiz parameter. Due to the lack of input validation, the script does not sanitize the .. sequences.
Step 3: File Creation/Overwrite: The script uses the manipulated path to write the attacker-supplied content to a file on the server. The attacker can choose the location of the file, potentially writing to a directory accessible via the web server (e.g., the web root or a directory used by the web server).
Step 4: Remote Code Execution (RCE): If the attacker writes a malicious script (e.g., a PHP script) to a location within the web server's document root, they can then execute the script by accessing it via a web browser. This grants the attacker remote code execution capabilities, allowing them to execute arbitrary commands on the server.
The vulnerability stems from insufficient input validation within the quiz.cgi script. The script fails to properly sanitize the quiz parameter, which is used to specify the location of quiz files. By injecting .. (dot-dot) sequences into this parameter, an attacker can manipulate the file path, traversing the directory structure and writing files outside of the intended web root. The root cause is a lack of proper path sanitization and input validation. The script directly uses the user-supplied input to construct file paths without checking for or removing directory traversal sequences. This allows the attacker to overwrite existing files, upload malicious scripts (e.g., PHP, ASP, or other executable files), and ultimately achieve remote code execution (RCE). The absence of access control lists (ACLs) or other security measures further exacerbates the impact.