OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: admincgisecurity.com
Date: Fri Mar 09 2001 - 18:45:45 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    The vendor has been contacted on this issue and it is being fixed.
    please visit his page for further updates.

    Just so all the script kids know it does allow partial command execution.
    The only limit to this is commands with arguements.
    (EX: limited to single commands like ls,ps)

    Debian also has this for download and the link is contained within the advisory.

    - zenomorph

    ***************************************************************************************

                                   [Cgi Security Advisory #4]
                                     admincgisecurity.com
                          Foldoc The Free On-line Dictionary of Computing

    Found
    Sometime in 2000
    (I forgot about it for awhile)

    Public release
    March 9th? 2001

    Script Effected: The Free On-Line Dictionary of Computing
    Price: Its says free silly!

    Versions effected:
    All versions appear to be

    Platforms:
    Unix, Linux
    (NT/2000 Unknown)

    Vendor
    www.foldoc.org
    http://wombat.doc.ic.ac.uk/foldoc/index.html

    2. Problem

    The problem lies in a file called template.cgi.
    This file has a variable name $file which does not validate its input.
    Below is a example of what you would enter in to show the scripts own source
    code.

    http://hostname/foldoc/template.cgi?template.cgi
    (Note: Paths may vary but this seems to be a popular one)

    This does allow command execution as well as remote file viewing.
    The command execution is limited to single commands without switches.
    (Ex: ps,ls,rm) This would LIMIT a attacker from executing a serious of commands
    to bind a shell to a port. Command execution is allowed under the permissions
    of the webserver which is normally user nobody.

    3. Fixes

    The vendor has been contacted about this security issue.
    Check the vendor webpage for further updates or use the included
    vendor patch at the bottom of this advisory.

    3a. Temp Fix

    Find template.cgi and make sure the executable bit is removed for the world(chmod 750)
    We have found 1 site that has done this and there software appears to be working properly.
    (Note: Not tested otherwise)

    Additional:

    We have found that debian also distributes this from a few searches online.
    http://packages.debian.org/stable/text/dict-foldoc.html

    ******************************************************************************************
                                     VENDOR PATCH BELOW THIS LINE
    ******************************************************************************************

    <--- Insert patch here --->
    The main change was to check the filename from the QUERY_STRING:

      # Check for dodgy paths in file
      if ($file =~ m|/|) {print "Bad file \"$file\""; exit 0}

    and add a "<" to try to ensure that it is only opened for reading

      unless (open IN, "< $file") {print "Can't read $file: $!\n"; exit 0}

    <--- End of patch --->

    Note: Patch included from vendor. It will on the otherhand
    still allow reading of any file in the present dir which means that
    if you have any important files with passwords in this directory
    you have been warned.

    This script needs to be able to read various file types and the vendor
    decided not to limit it to certain file types only. While this may normally
    be a good idea to incorperate this script lies within its own directory of "foldoc".
    This means only files within "Foldoc" could be read.

    Published to the Public March 2001
    Copyright March 2001 Cgisecurity.com