PRODUCT
*******

AdStreamer
http://www.sha-la-la.com/adstreamer/

DESCRIPTION
***********

This software have many an open call that can exploited with Perl tricks
like ../, %00, |, etc.

bash-2.05$ egrep 'open|system|exec|eval' *.cgi
addbanner.cgi:#         This script is apart of the Banner Manager system.
It will add banners
addbanner.cgi:open(HEADERFILE, "banner/$thebannercat.dat") || die("error
opening the file $thebannercat.dat");
addbanner.cgi:open(HEADERFILE, ">banner/$thebannercat.dat") || die("error
opening the file $thebannercat.dat");
addbanner.cgi:  open(HEADERFILE, ">>banner/$logfile") || die("error
opening
the file $logfile");
addbanner.cgi:  open(HEADERFILE, ">banner/$logfile") || die("error opening
the file $logfile");
banner.cgi:#            This script is apart of the Banner Manager system.
It adds banner
banner.cgi:open(HEADERFILE, "$input{'cat'}.dat") || die("error opening the
file $input{'cat'}.dat");
banner.cgi:open(HEADERFILE, ">$input{'cat'}.dat") || die("error opening
the
file $input{'cat'}.dat");
banner.cgi:     open(HEADERFILE, ">>$logfile") || die("error opening the
file $logfile");
banner.cgi:     open(HEADERFILE, ">$logfile") || die("error opening the
file
$logfile");
bannereditor.cgi:#              This script is apart of the Banner Manager
system.  It preforms banner
bannereditor.cgi:open(HEADERFILE, "titles.dat") || die("error opening the
file titles.dat");
bannereditor.cgi:       open(HEADERFILE, "$input{'cat'}.dat") ||
die("error
opening the file $input{'cat'}.dat");
bannereditor.cgi:       open(HEADERFILE, ">$input{'cat'}.dat") ||
die("error
opening the file $input{'cat'}.dat");
bannereditor.cgi:       open(HEADERFILE, "$input{'cat'}.dat") ||
die("error
opening the file $input{'cat'}.dat");
bannereditor.cgi:       open(HEADERFILE, "categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi:       open(HEADERFILE, ">categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi:       open(HEADERFILE, ">ref.dat") || die("error opening
the file ref.dat");
bannereditor.cgi:       open(HEADERFILE, ">titles.dat") || die("error
opening the file titles.dat");
bannereditor.cgi:       open(HEADERFILE, "categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi:               open(HEADERFILE, "$cat.dat") || die("error
opening the file $cat.dat");
bannereditor.cgi:               open(HEADERFILE, ">$cat.dat") ||
die("error
opening the file $cat.dat");
bannereditor.cgi:       open(HEADERFILE, "categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi:               open(HEADERFILE, "$cat.dat") || die("error
opening the file $cat.dat");
bannereditor.cgi:       open(HEADERFILE, ">>ref.dat") || die("error
opening
the file ref.dat");
bannereditor.cgi:       open(HEADERFILE, ">>titles.dat") || die("error
opening the file titles.dat");
bannereditor.cgi:       open(HEADERFILE, "categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi:       open(HEADERFILE, "categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi:                       open(HEADERFILE, "$cat.dat") ||
die("error opening the file $cat.dat");
bannereditor.cgi:                       open(HEADERFILE, ">>$cat.dat") ||
die("error opening the file $cat.dat");
bannereditor.cgi:       open(HEADERFILE, ">$input{'newcat'}.dat") ||
die("error opening the file $input{'newcat'}.dat");
bannereditor.cgi:       open(HEADERFILE, ">>categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi:       open(HEADERFILE, "categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi:               open(HEADERFILE, "$cat.dat") || die("error
opening the file $cat.dat");
bannereditor.cgi:       open(HEADERFILE, "categories.dat") || die("error
opening the file categories.dat");
bannereditor.cgi:       open(HEADERFILE, "ref.dat") || die("error opening
the file ref.dat");
jump.cgi:#              This script is apart of the Banner Manager system.
It recieves every
jump.cgi:open(HEADERFILE, "ref.dat") || die("error opening the file
ref.dat");
jump.cgi:               open(HEADERFILE, ">>$logfile") || die("error
opening
the file $logfile");
jump.cgi:               open(HEADERFILE, ">$logfile") || die("error
opening
the file $logfile");
report2.cgi:#           This script is apart of the Banner Manager system.
It generates reports
report2.cgi:open(HEADERFILE, "titles.dat") || die("error opening the file
titles.dat");
report2.cgi:opendir(LOGDIR, ".") || die("error");
report2.cgi:    open(HEADERFILE, "$file.log") || die("error opening the
file
$file.log");
report2.cgi:opendir(LOGDIR, ".") || die("error");
report2.cgi:    open(HEADERFILE, "$file.log") || die("error opening the
file
$file.log");
report2.cgi:opendir(LOGDIR, ".") || die("error");
report2.cgi:    open(HEADERFILE, "$file.log") || die("error opening the
file
$file.log");
report2.cgi:open(HEADERFILE, "categories.dat") || die("error opening the
file categories.dat");
report2.cgi:opendir(LOGDIR, ".") || die("error");
report2.cgi:open(HEADERFILE, "categories.dat") || die("error opening the
file categories.dat");
report2.cgi:open(HEADERFILE, "$input{'log'}") || die("error opening the
file
$input{'log'}");
report2.cgi:open(HEADERFILE, "$input{'log'}") || die("error opening the
file
$input{'log'}");
report2.cgi:open(HEADERFILE, "$input{'log'}") || die("error opening the
file
$input{'log'}");
report2.cgi:opendir(LOGDIR, ".") || die("error");
report2.cgi:open(HEADERFILE, "categories.dat") || die("error opening the
file categories.dat");

VENDOR NOTIFICATION
*******************

Vendor is informed now with public. Not to worry, since malicious people
don't read Bugtraq.


GOBBLES LABS
GOBBLES@hushmail.com
http://www.bugtraq.org/