[UNIX] Mod_Survey ENV Tag Security Vulnerability
From: firstname.lastname@example.org To: email@example.com Date: 29 Mar 2003 20:00:48 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
In the US?
Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!
Please contact us at: 323-882-8286 or firstname.lastname@example.org
- - - - - - - - -
Mod_Survey ENV Tag Security Vulnerability
<http://gathering.itm.mh.se/modsurvey/> Mod_Survey is an Apache module
that displays and handles questionnaires written in a special XML-based
markup language. Mod_Survey is primarily targeted towards Linux/Unix, but
is possible to run in Windows.
If ENV tags are used in surveys it is, under certain circumstances,
possible for an outside evil person to send arbitrary data to the data
handling system. This could corrupt the data repository or, in the case of
badly configured RDBMSs, be used to execute arbitrary database commands.
This only affects survey files where ENV tags are used.
All versions from version 3.0.9 up to (but not including) 3.0.14e and
3.0.15-pre6 are vulnerable. Thus, the following versions have the problem:
Versions 3.0.8 and earlier
In version 3.0.9, ENV tags were introduced as a way to submit data from
the environment to the data repository along with the actual questionnaire
answers. This is, when used at all, usually used for gathering info such
as from which IP the respondent has connected, or which user agent the
respondent is using.
So far, this data has been sent unchecked to the data sub system. However,
a malicious user could easily construct some of the most common
environment variables and thus send arbitrary data to the system.
One example would be if the survey author is using an ENV tag with the
field HTTP_USER_AGENT. The evil cracker could then change this string in
his browser to something that he knew would corrupt the data repository,
such as the delimiting character for ASCIIFILE/AUTODATA save methods or
meta characters for the DBI save method.
In versions 3.0.14e and 3.0.15-pre6, this has been solved through the
encoding of the environment string. With this, encoding all "dangerous"
characters are encoded to %XX where XX is the character's hex code. Thus,
a semi-colon is submitted as %1B rather than as a semi-colon.
Anyone can exploit this by changing the user_agent string in his browser.
There are several points limiting the impact of the problem: The ENV tag
must be actively chosen and inserted by a survey author for the above to
be a problem. Secondly, most fields are not possible to change from the
outside as they are set by Apache. Thirdly, unless access is given to the
source of the survey, there is no way to know from the outside whether an
ENV tag is used at all.
For systems with 3.0.14d or earlier installed, upgrade to 3.0.14e. For
systems with versions from 3.0.15-pre1 to -pre5, upgrade to 3.0.15-pre6.
If you only have trusted users on the system, you can also simply refrain
from using ENV tags. Surveys that do not include the ENV tags are not
The original advisory can be downloaded from:
The information has been provided by <mailto:email@example.com> Joel
Palmius and Nicklas Deutschmann.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: firstname.lastname@example.org
In order to subscribe to the mailing list, simply forward this email to: email@example.com
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.