OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Steve Gustin (stegus1yahoo.com)
Date: Tue Jun 11 2002 - 16:00:51 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    CGIscript.net - csNews.cgi - Multiple Vulnerabilities
    ---------------------------------------------------------------------
    Date : June 11, 2002
    Product : csNews.cgi (csNews standard)
                csNews.cgi (csNews Pro)

    Vendor : WWW.CGIscript.NET, LLC.
    Homepage : http://www.cgiscript.net/

    DISCUSSION:
    ---------------------------------------------------------------------
    From the website "Update and maintain articles and
    news items on your web site with this full-featured
    and extremely flexible content management system."

    The following issues have been found:

    ACCESS REQUIRED : NONE

    - path disclosure vulnerability, filepath, ENV, and
    config data displayed by errors
      CSNews.cgi?command=viewnews&database=none

    - Database files can be viewed/downloaded by accessing
    the database file through a browser. Note: You'll need
    to double url encode names!
      "default%2edb".

    - Database usernames and password can be access by
    accessing the database style & config file
    "database.style". Note: You'll need to double url
    encode names! "default%2edb.style". Usernames or
    passwords in this file may be viewable.

    ACCESS REQUIRED : "ANONYMOUS" or "PASSWORD PROTECTED"
    Public Management

    - "Advanced Settings", usually restricted to admin
    users, can be viewed, updated and saved by accessing
    this URL:
     
    CSNews.cgi?database=default%2edb&command=showadv&mpage=manager

    - Admin options, usually restricted to admin users,
    can be viewed by regular users with this url:
     
    CSNews.cgi?command=manage&database=default%2edb&mpage=manager

    - "Advanced Settings", user can set any file or system
    command to be set for 'header' and 'footer'. This
    could be done by submitting a hand crafted form page,
    a perl LWP script, or with this simple javascript.
    This example will display the setup.cgi file which
    contains the superuser name and password.

    javascript:alert(document.form1.pheader.value='setup.cgi');

    javascript:alert(document.form1.pfooter.value='setup.cgi');

    - "Advanced Settings", any user will access to the
    advanced setting (granted with anonymous access, user
    access, or admin access) can execute perl and system
    commands by adding any of the following to any text
    field:
      \"; PERL_CODE_HERE \"

    SOLUTION
    ---------------------------------------------------------------------
    Contact vendor for updated version, only allow
    completely trusted users to access the application,
    disable access to .style and *db files through
    Apache .htaccess files.

    DISCLAIMER
    ---------------------------------------------------------------------
    The information within this document may change
    without notice. Use of this information constitutes
    acceptance for use in an AS IS condition. There are NO
    warranties with regard to this information. In no
    event shall the author be liable for any consequences
    whatsoever arising out of or in connection with the
    use or spread of this information. Any use of this
    information lays within the user's responsibility.

    __________________________________________________
    Do You Yahoo!?
    Yahoo! - Official partner of 2002 FIFA World Cup
    http://fifaworldcup.yahoo.com