Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Franklin DeMatto (franklinQDEFENSE.COM)
Date: Mon Apr 16 2001 - 20:30:24 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    qDefense Advisory Number QDAV-5-2000-1
    Product: DCForum
    Vendor: DCScripts (www.dcscripts.com)
    Version Tested: DCForum 2000 1.0
    Severity: Any remote attacker may gain read/write/execute privilleges
    Cause: Failure to validate input; Trust of hidden fields; Allows uploading
    of arbitrary files by default
    Solution: Provided here

    DCForum is a popular CGI to create message boards on web sites.

    It contains, however, a number of serious vulnerabilities.

    In line 121 of file dcboard.cgi, there is a line "require <prefix><az
    hidden form field><suffix>;". (The exact line was not quoted do to
    copyright limitations.)

    The perl statement "require EXPR" will open the file EXPR, parse it, and
    execute it, as regular perl, as if the entire contents of that
    file appeared at that point. Therefore, an attacker who writes a file
    containing perl commands to the server will be able to execute
    them by setting the az field to the name of his file on the server.

    To make matters worse, no input checking is done on the az field, so as
    long the file is located anywhere on the server, an attacker
    can reference it, using double dots to undo the prefix and a %00 to
    truncate off the suffix.

    Getting the file onto the server is no problem either. DCForum, by default,
    allows any user to upload any file, by setting
    az=upload_file. However, there are other ways of getting files onto the
    server, so even servers that disable uploading are vulnerable.


    Patch dcboard.cgi to remove double dots and poison nulls

    Disable uploading

    (Note: this solution by no means ensures DCForum's security; it merely is a
    band-aid for this vulnerability)
    Franklin DeMatto