6200960 2001-03-09 19:45 -0500 /129 rader/ admin@cgisecurity.com <admin@CGISECURITY.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-03-11 20:30 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: admin@CGISECURITY.COM
Mottagare: Bugtraq (import) <15855>
Ärende: Cgisecurity.com advisory #4 The Free On-line Dictionary of
------------------------------------------------------------
Computing
From: "admin@cgisecurity.com" <admin@CGISECURITY.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <200103100045.TAA26790@iridium.mv.net>
The vendor has been contacted on this issue and it is being fixed.
please visit his page for further updates.
Just so all the script kids know it does allow partial command
execution. The only limit to this is commands with arguements. (EX:
limited to single commands like ls,ps)
Debian also has this for download and the link is contained within
the advisory.
- zenomorph
***************************************************************************************
[Cgi Security Advisory #4]
admin@cgisecurity.com
Foldoc The Free On-line Dictionary of Computing
Found
Sometime in 2000
(I forgot about it for awhile)
Public release
March 9th? 2001
Script Effected: The Free On-Line Dictionary of Computing
Price: Its says free silly!
Versions effected:
All versions appear to be
Platforms:
Unix, Linux
(NT/2000 Unknown)
Vendor
www.foldoc.org
http://wombat.doc.ic.ac.uk/foldoc/index.html
2. Problem
The problem lies in a file called template.cgi. This file has a
variable name $file which does not validate its input. Below is a
example of what you would enter in to show the scripts own source
code.
http://hostname/foldoc/template.cgi?template.cgi
(Note: Paths may vary but this seems to be a popular one)
This does allow command execution as well as remote file viewing.
The command execution is limited to single commands without switches.
(Ex: ps,ls,rm) This would LIMIT a attacker from executing a serious
of commands to bind a shell to a port. Command execution is allowed
under the permissions of the webserver which is normally user nobody.
3. Fixes
The vendor has been contacted about this security issue.
Check the vendor webpage for further updates or use the included
vendor patch at the bottom of this advisory.
3a. Temp Fix
Find template.cgi and make sure the executable bit is removed for the
world(chmod 750) We have found 1 site that has done this and there
software appears to be working properly. (Note: Not tested otherwise)
Additional:
We have found that debian also distributes this from a few searches
online. http://packages.debian.org/stable/text/dict-foldoc.html
******************************************************************************************
VENDOR PATCH BELOW THIS LINE
******************************************************************************************
<--- Insert patch here --->
The main change was to check the filename from the QUERY_STRING:
# Check for dodgy paths in file
if ($file =~ m|/|) {print "Bad file \"$file\""; exit 0}
and add a "<" to try to ensure that it is only opened for reading
unless (open IN, "< $file") {print "Can't read $file: $!\n"; exit 0}
<--- End of patch --->
Note: Patch included from vendor. It will on the otherhand
still allow reading of any file in the present dir which means that
if you have any important files with passwords in this directory
you have been warned.
This script needs to be able to read various file types and the
vendor decided not to limit it to certain file types only. While this
may normally be a good idea to incorperate this script lies within
its own directory of "foldoc". This means only files within "Foldoc"
could be read.
Published to the Public March 2001
Copyright March 2001 Cgisecurity.com
(6200960) --------------------------------(Ombruten)