OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Klaus Ripke (kripopenisis.org)
Date: Thu Mar 28 2002 - 10:26:57 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Name : wwwisis remote command execution and get files
    Software Package : wwwisis
    possibly affected : JavaISIS and other tools based on wwwisis
    Vendor Homepage : http://www.bireme.br/isis/I/wwwi.htm
    Vulnerable Versions: 3.45 verified, probably others
    Platforms : Linux verified, probably others
    Vulnerability Type : Input Validation Error
    Vendor Contacted : 28 Feb 2002
    Vendor Replied : 01 Mar 2002

    CONTACT INFORMATION
    ===============================================================================

    Name : Klaus Ripke
    E-mail : kripopenisis.org

    Vendor contact name : Abel Laerte Packer
    Vendor contact e-mail : abelbrm.bireme.br

    TECHNICAL INFO
    ===============================================================================

    Introduction:

    wwwisis runs as cgi to query mostly bibliographical databases.
    Deployed on probably some hundred systems or more.
    While this vuln is probably currently not being exploited,
    it's possible to install workarounds right now,
    therefore this information is published.

    Summary:

    In common setups of wwwisis, query parameters can be forged
    to have wwwisis execute any (shell) command and display any
    readable file as allowed for the user of the cgi process.
    Vulnerability can be avoided with careful setup.

    Description:

    Input parameters from query string are not checked for bad input.
    In common plain-vanilla setups such as the examples in the manual,
    it is possible to have the process execute any format as sent by the
    remote user. The formatting language has some too powerful functions.
    There is also an alternate attack possibility abusing PATH_INFO.

    Impact:

    Ability to execute any command and get any file as allowed for
    the cgi process.

    Exploits:

    Since there is not yet a fix published,
    and the vuln is probably currently not being exploited,
    details are to follow at a later time.

    Workaround:

    Avoid wwwisis being called directly -- wrap it up in a perl -t script.
    Wipe out any suspicious stuff from query params, clean up the ENV,
    then exec wwwisis with a list of params. Read the perlsec manpage.

    Vendor Status:

    Bireme will check it out.