OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Moreover Cached_Feed CGI Vulnerability
From: CDI (cdiTHEWEBMASTERS.NET)
Date: Mon Oct 02 2000 - 12:20:21 CDT


-----------------------------------------------------------
Arbitrary File Disclosure in Moreover.com's Cached_Feed.cgi

Application: cached_feed.cgi
Vendor: Moreover.com
Version: 1.0, Last Updated 4.July.00

         Note, the version is implied. They never actually put a version
         number in the file, just a "last updated" date.

Vendor Status: Notified, although they fixed it prior to my notification
               to them.

Fix: Download new version 2.0.
     http://w.moreover.com/dev/cache/

Synopsis:
  *yawn* Yet another CGI that lacks sufficient (or in this case -any-)
  input validation, leading to the exposure of readable files on the
  system.

Description:
  The cached_feed CGI supplied by Moreover.com is used to retrieve news
headlines from the Moreover.com site, and then store them for retrieval
and display within your own local web site. The program accepts two
arguments on the QUERY_STRING; The news category to retrieve, and the
format the headlines should be returned in. The two arguments are supplied
to the CGI using a raw query string in the form 'category+format' which
in turn becomes $ARGV:

  $category = ARGV[0];
  $format = ARGV[1];

These two lines comprise the bulk of the data validation performed by the
CGI. Here's the flaw in the source:

  # Constants
  $base_dir = ".";
  $cache_dir = "$base_dir/cached_newsfeeds";
  $cache_file = "$cache_dir/".$category.".".$format;

And a little later on...

  if ($age < $cache_time)
  {
     $feed = &obtain_file($cache_file);
  }

The 'obtain_file' function reads the file specified and returns it's
contents. The CGI wraps up by printing the contents of the file back to
the browser. '$cache_time' defaults to 15 minutes. This limits the
functionality of the exploit a bit as the targeted file needs to have been
created or modified in the last 15 minutes.

So, if your password file has been modified within the last 15 minutes,
the obvious exploit for this flaw will allow an intruder to retrieve the
file. The file will also be retrieved if the CGI is unable to contact the
Moreover server or if the Moreover server takes longer than 30 seconds to
respond. A crafty intruder could potentially induce such a delay using a
ping flood against the victim host.

Obvious Exploit:
  http://victim/cgi-bin/cached_feed.cgi?../../../.+/etc/passwd

Vendor Status:
  I first started playing with the CGI on Sept 5th. During my testing I
accidently tipped off Moreover by not immediately disabling the headline
retrieval function while I was testing. This means that Moreover's server
valiantly attempted to handle a few requests containing '/etc/passwd'
attempts. (I was trying to yank the password file off my own server, not
Moreovers) Apparently someone at Moreover was actually paying attention,
because on Sept 10th, they issued an updated verion of the CGI containing
the following change notes:

  # Version 2
  # ---------
  # In this version:
    <snip>
  # o Potential security hole fixed

Their fixes included exiting if unable to contact the Moreover server to
retrieve the headlines, as well as munging the requested cache file to
prevent directory traversal. (It still doesn't really validate - just
munges. *sigh*)

CDI
____________________________________
The Web Master's Net
http://www.thewebmasters.net/
   "We're sysadmins. We do remember. We don't forgive."
                      -- Mike Andrews in the Monastery