Summary:
Google Urchin is vulnerable to a Local File Include (LFI)
vulnerability that allows arbitrary reading of files. Confirmed in
version 5.7.03 running on Linux. Issue may exist in other versions as
well.
Analysis:
During normal usage, Google Urchin creates files on disk that are then
embedded into report pages for visual data representation.
Unfortunately, an LFI vulnerability is introduced because proper
filtering is not performed. The included files live under
$INSTALL_PATH and look something like this:
data/cache/localhost/admin-1102-23087-1292412725.
"""
$ file ./data/cache/localhost/admin-1102-23087-1292412725
./data/cache/localhost/admin-1102-22410-1292411043: XML document text
$ head ./data/cache/localhost/admin-1102-23087-1292412725
]>
