HC's Capture the Flag website
CTF Contests
25C3-CTF
25C3-CTF final results
Advisory #43
From team Ailuropoda Melanoleucas
New advisory by : Samsa
Affected service(s): cgibas
Severity [lmh] : medium/high
===== Problem =====
Search functionality can be abused to retrieve confidential data.
The search functionality uses wild cards and its content structure is know to be hexadecimal data. Searching for "1" with file content leads to the disclsure of all the file names.
===== Impact =====
The flags are easily stolen.
===== Fix =====
Either remove the search functionallity or make the search work without wildcards.
Rating
[2] y00