Re: S21SEC-024 - Vignette TCL Injection

From: Stefan Bethke (
Date: 05/28/03

  • Next message: "[RHSA-2003:145-01] Updated kernel fixes security vulnerabilities and updates drivers"
    Date: Wed, 28 May 2003 12:15:57 +0200

    Am Montag, 26.05.03, um 16:14 Uhr (Europe/Berlin) schrieb S21SEC:

    > The affected Vignette commands are:
    > - NEEDS
    > All the TCL templates or scripts, that use this commands, are
    > vulnerable to remote code injection.

    This is overly broad. The actual vulnerability depends on the code path
    taken in the NEEDS Tcl procedure.

    > SET queryString [SHOW HTTP_QUERY_STRING] <---
    > (!)

    This problematic line was already identified by Bas Scheffers (IIRC).

    > regsub -all {; } [SHOW HTTP_COOKIE] { } cookieString
    > <--- (!)

    > -- Lines 1272/1277 (VALID_PATHS command) --

    > system_error "Invalid path \"$_Path\" for template (referer='[SHOW
    > HTTP_REFERER]')" <--- (!)

    > As seen, the value of some unfiltered variables is used and evaluated
    > with the SHOW command. If the external variable contains Vignette
    > code, then arbitrary TCL execution is posible. The affected input
    > variables are:
    > - HTTP_QUERY_STRING, converted to queryString in NEEDS command.
    > - HTTP_COOKIE, converted to cookieString in NEEDS command.
    > - HTTP_REFERER, showed in VALID_PATHS command.

    This is incorrect. While this might enable XSS attacks, it does not
    allow for Tcl code injection. The problematic command here is not SHOW,
    but SET.

    A (simplified) version of the Vignette SET command would look like this:

    proc SET {var val {noeval {}} {
            if {$noeval != "NOEVAL"} {
                    set val [EVAL $val]
            namespace eval ::VgnDefaultNamespace [list set $var $val]

    That is, unless a third argument of "NOEVAL" is passed to the SET
    command, the value will be interpreted as a Vignette Tcl template
    piece, and any Tcl command embedded in it in the form of "[code]" will
    be executed.

    > Solution
    > --------
    > Replace the offending SHOW evaluations in stdlib.tcl with directly
    > passed variables. For example:
    > instead: SET queryString [SHOW HTTP_QUERY_STRING]
    > use ==> SET queryString $HTTP_QUERY_STRING

    This is incorrect, and will likely break your application.

    Stefan Bethke <>
    Tallence GmbH, Steinhöft 11, D-20459 Hamburg, Germany
    Mobile +49 170 3460140, Office +49 40 36099860, Fax +49 40 36099869

  • Next message: "[RHSA-2003:145-01] Updated kernel fixes security vulnerabilities and updates drivers"

    Relevant Pages

    • ANN: AOLserver 4.5.0 released!
      ... On behalf of the AOLserver Team, I have the honor of announcing the ... AOLserver 4.5.0 is a major upgrade including several new Tcl commands, ... AOLserver is America Online's Open-Source web server. ... the "ns_zlib" command for compressing and uncompressing ...
    • Tcl-URL! - weekly Tcl news and links (Mar 5)
      ... GRIDPLUS2 is a Tile based version of GRIDPLUS. ... *) New "gpselect" command to select a tablelist row or tree node. ... Some people take their license issues very personal indeed;-) (and ... Word documents via Tcl and tcom - ...
    • Problem to trace itcl class member functions with Tcl_CreateObjTrace
      ... I am trying to create a tcl debugger so that i can trace tcl code step ... invoked before any Tcl command gets evaluated. ... puts "ctor MyClass" ... int traceEnter ( ...
    • Re: Core commands as ensembles...
      ... command that does much the same as [namespace code], ... TCL as their scripting/console engine. ... home-brew bits and pieces, in which I will use TCL in any way that I ...
    • Re: is tcl a reasonable alternative to unix shell scripts?
      ... Tcl has a library of "common" functions and utilities known as "tcllib". ... That said, the Tcl core does contain *many* file related commands, most of which are collected under the "file" ensemble command. ... So, check out "file" and its many sub-commands in the standard Tcl man-pages for most of the built-in file support, and take a look at the "fileutil" module of tcllib for other higher-level file utilities. ...