Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Franklin DeMatto (franklinQDEFENSE.COM)
Date: Mon Apr 16 2001 - 20:30:24 CDT
qDefense Advisory Number QDAV-5-2000-1
Vendor: DCScripts (www.dcscripts.com)
Version Tested: DCForum 2000 1.0
Severity: Any remote attacker may gain read/write/execute privilleges
Cause: Failure to validate input; Trust of hidden fields; Allows uploading
of arbitrary files by default
Solution: Provided here
DCForum is a popular CGI to create message boards on web sites.
It contains, however, a number of serious vulnerabilities.
In line 121 of file dcboard.cgi, there is a line "require <prefix><az
hidden form field><suffix>;". (The exact line was not quoted do to
The perl statement "require EXPR" will open the file EXPR, parse it, and
execute it, as regular perl, as if the entire contents of that
file appeared at that point. Therefore, an attacker who writes a file
containing perl commands to the server will be able to execute
them by setting the az field to the name of his file on the server.
To make matters worse, no input checking is done on the az field, so as
long the file is located anywhere on the server, an attacker
can reference it, using double dots to undo the prefix and a %00 to
truncate off the suffix.
Getting the file onto the server is no problem either. DCForum, by default,
allows any user to upload any file, by setting
az=upload_file. However, there are other ways of getting files onto the
server, so even servers that disable uploading are vulnerable.
Patch dcboard.cgi to remove double dots and poison nulls
(Note: this solution by no means ensures DCForum's security; it merely is a
band-aid for this vulnerability)
qDefense - DEFENDING THE ELECTRONIC FRONTIER