OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Black Watch Labs Vulnerability Alert
From: Blackwatchlabs (blackwatchlabsPERFECTOTECH.COM)
Date: Fri May 05 2000 - 17:52:11 CDT


Dear Security Professional,

The following vulnerability:

    "Environment and Setup Variables Can Be Viewed Through DBMan
(db.cgi) Script"

is in the text of the message below and has just been posted to the
Black Watch Labs Web site at
http://www.perfectotech.com/blackwatchlabs/

Thank you,
Black Watch Labs

If you wish to unsubscribe to this Black Watch Labs email update, please

click on reply and type the word "Unsubscribe" in the subject line.

--------------------------------------------------------------------------------------------------------------------------------

Environment and setup variables can be viewed through DBMan (db.cgi)
script

Perfecto’s Black Watch Labs Advisory BWL 00-05 (May 5, 2000)

Name:
Environment and setup variables can be viewed through DBMan script

Black Watch Labs ID:
BWL 00-05

Date Released:
May 5, 2000

Category:
Application(HTML): modification of parameters, debug options.

Products affected:
Gossamer Threads’ DBMan (db.cgi)

Number of affected sites:
It is estimated that there are more than 2,000 pages containing links to
db.cgi. The Gossamer Threads site contains
a list of some sites that use DBMan:
http://www.gossamer-threads.com/scripts/resources/DBMan/Sites_In_Action/

Summary:
The script allows several environment variables to be viewed by the
attacker, who can gain useful information on the
site, making further attacks more feasible.

Analysis:
DBMan dumps useful information (e.g. script location, HTTP root, version
of Perl, server_admin, server_name, path)
to the browser when the database file provided is incorrect.

Exploits:
DBMan: the demo site of DBMan does not contain a database named no-db,
thus the following URL displays the
environment dump:
http://www.gossamer-threads.com/scripts/dbman/db.cgi?db=no-db

Vendor Patch or workaround:
http://www.gossamer-threads.com/scripts/dbman (we should get this from
the vendor Friday)
To fix, replace cgierr in db.cgi with:

sub cgierr {
# --------------------------------------------------------
# Displays any errors and prints out FORM and ENVIRONMENT
# information. Useful for debugging.

    if (!$html_headers_printed) {
        print "Content-type: text/html\n\n";
        $html_headers_printed = 1;
    }
    print "DBMan encountered an internal error. ";
    if ($db_debug) {
        print "<PRE>\n\nCGI
ERROR\n==========================================\n";
        $_[0] and print "Error Message : $_[0]\n";
        $0 and print "Script Location : $0\n";
        $] and print "Perl Version : $]\n";
        $db_setup and print "Setup File : $db_setup.cfg\n";
        $db_userid and print "User ID : $db_userid\n";
        $db_uid and print "Session ID : $db_uid\n";

        print "\nForm
Variables\n-------------------------------------------\n";
        foreach $key (sort keys %in) {
            my $space = " " x (20 - length($key));
            print "$key$space: $in{$key}\n";
        }
        print "\nEnvironment
Variables\n-------------------------------------------\n";
        foreach $env (sort keys %ENV) {
            my $space = " " x (20 - length($env));
            print "$env$space: $ENV{$env}\n";
        }
        print "\n</PRE>";
    }
    else {
        print "Please enable debugging to view.";
    }
    exit -1;
}

This will only enable the displaying of environment variables if
$db_debug is turned on in the config file. Users should turn this off
when they are done testing.

References and Links:
Gossamer Scripts (DBMan): http://www.gossamer-threads.com/scripts/dbman/

Gossamer Scripts DBMan demo site:
http://www.gossamer-threads.com/scripts/dbman/db.cgi

About Black Watch Labs (www.perfectotech.com/blackwatchlabs/)
Black Watch Labs is a research group operated by Perfecto Technologies
Inc., leader in Web application security
management. Black Watch Labs was established in order to further the
knowledge of the Internet community in the
arena of Web application security management. Black Watch Labs publishes
security advisories regularly, which are
maintained at http://www.perfectotech.com/blackwatchlabs/, and are also
posted to relevant security lists and
websites.
Black Watch Labs also operates a Web application security mailing list,
which can be subscribed to at
http://www.perfectotech.com/blackwatchlabs/.
For more info about Black Watch Labs and Web Application Security
Management, please call (408) 855-9500 or
email BlackWatchLabsperfectotech.com

About Perfecto Technologies (www.perfectotech.com)
Founded in 1997 and headquartered in Santa Clara, Calif., Perfecto
Technologies pioneered the market for Web
Application Security Management software. AppShield, Perfecto
Technologies flagship product offering, is the first
to provide extreme security for customer-facing applications in dynamic
Web site environments. Perfecto
Technologies has customers in many sectors including, banking, etailing,
finance, government, and healthcare.
Privately held, Perfecto Technologies is funded by blue-chip venture
capital firms and industry leaders, including
Sequoia Capital, Walden, and Intel Corporation. More information about
Perfecto Technologies may be obtained by
visiting the Company’s Website at www.perfectotech.com or by calling the
Company directly at (408) 855-9500.

Copyright © 1997-2000 Perfecto Technologies LTD. All rights reserved.
Permission is hereby granted to reproduce and distribute the application
security alerts herein in their entirety,
provided the information, this notice and all other Perfecto
Technologies marks remain intact.

Specific Limitations on Use of the Black Watch Labs Advisories
THIS ADVISORY INCLUDES INFORMATION WHICH WILL ILLUSTRATE CERTAIN
SECURITY RISKS AND
ISSUES ASSOCIATED WITH SITES ON THE INTERNET, INCLUDING, POTENTIALLY,
YOUR SITE. YOU AGREE
THAT YOUR VIEWING OF THIS ADVISORY IS SOLELY FOR THE PURPOSES OF
UNDERSTANDING THESE
RISKS AND ISSUES WITH RESPECT TO YOUR SITE AND THE PRODUCTS AND SERVICES
OFFERED BY
PERFECTO TECHNOLOGIES. YOU AGREE NOT TO USE ANY INFORMATION DISCLOSED TO
YOU FOR ANY
IMPROPER OR ILLEGAL PURPOSE, INCLUDING TO VIOLATE THE SECURITY OF ANY
OTHER PERSON'S
SITE. YOU ARE EXPLICITLY WARNED THAT THE USE FOR ANY IMPROPER PURPOSE OF
INFORMATION
DISCLOSED TO YOU COULD SUBJECT YOU TO CIVIL AND CRIMINAL LIABILITY IN
THE UNITED STATES AND
OTHER COUNTRIES.

NO WARRANTY
Any material furnished by Perfecto Technologies is furnished on an “as
is” basis and may change without notice.
Perfecto Technologies makes no warranties of any kind, either expressed
or implied as to any matter including but
not limited to, warranty of fitness for a particular purpose or
merchantability, exclusivity or results obtained from use of
the material. Neither does Perfecto Technologies make any warranty of
any kind with respect to freedom from
patent, trademark or copyright infringement. In no event shall Perfecto
Technologies be liable for any damages
whatsoever arising out of or in connection with the use or spread of
this information. Any use of this information is at
the user's own risk.