[UNIX] Avenger's News System Command Execution Vulnerability
From: support@securiteam.comDate: 03/03/02
- Previous message: support@securiteam.com: "[REVS] PCFriendly DVD Backchannel"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Sun, 3 Mar 2002 08:48:21 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Avenger's News System Command Execution Vulnerability
------------------------------------------------------------------------
SUMMARY
<http://ans.gq.nu/> Avenger's News System (ANS) is a PERL-based solution
to creating an easy-to-update and easy-to-maintain web site. Instead of
constantly uploading new news pages and wrestling with HTML, you can post
stuff via a web-based form. A security vulnerability in the product allows
command execution by remote attackers who have access to the ANS page.
DETAILS
The variable $QUERY is defined in the configuration file as:
<define QUERY>"$ENV{'QUERY_STRING'}"
When the script runs, it checks for a POST and then checks for a plugin.
The problem is in the plugin subroutine:
if (substr($QUERY, 0, 2) eq "p=")
{
$plugin = substr((split /&/, $QUERY)[0], 2);
if (index("$QUERY", "&") < 0) { $QUERY = ""; }
else { $QUERY = substr($QUERY,
index("$QUERY", "&")+1); }
open (PLUGIN, "$FILE_LOCATION/$plugin");
@plugin = <PLUGIN>;
close (PLUGIN);
eval("@plugin");
exit;
}
No input filtering is done on user input so command execution is possible.
Exploit:
ans.pl?p=../../../../bin/command argument|&blah
Fix:
Filter characters such as '..' and use < << > >> when calling open().
Replace the above code with this:
if (substr($QUERY, 0, 2) eq "p="){
$QUERY =~ s/([\&;\`'\\\|"*?~<>^\(\)\[\]\{\}\$\n\r])/\\$1/g; #filter meta
characters
$QUERY =~ s/\.\.//g; #filter double dot (..)
$plugin = substr((split /&/, $QUERY)[0], 2);
if (index("$QUERY", "&") < 0) { $QUERY = ""; }
else { $QUERY = substr($QUERY, index("$QUERY", "&")+1); }
open (PLUGIN, "<$FILE_LOCATION/$plugin"); #added a < to the open() -
readonly
@plugin = <PLUGIN>;
close (PLUGIN);
eval("@plugin");
exit;
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:b0iler@hotmail.com> b0iler
_.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[REVS] PCFriendly DVD Backchannel"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
