qDefense Advisory Number QDAV-5-2000-1 Product: DCForum Vendor: DCScripts (www.dcscripts.com) Version Tested: DCForum 2000 1.0 Severity: Any remote attacker may gain read/write/execute privilleges Cause: Failure to validate input; Trust of hidden fields; Allows uploading of arbitrary files by default Solution: Provided here DCForum is a popular CGI to create message boards on web sites. It contains, however, a number of serious vulnerabilities. In line 121 of file dcboard.cgi, there is a line "require <prefix><az hidden form field><suffix>;". (The exact line was not quoted do to copyright limitations.) The perl statement "require EXPR" will open the file EXPR, parse it, and execute it, as regular perl, as if the entire contents of that file appeared at that point. Therefore, an attacker who writes a file containing perl commands to the server will be able to execute them by setting the az field to the name of his file on the server. To make matters worse, no input checking is done on the az field, so as long the file is located anywhere on the server, an attacker can reference it, using double dots to undo the prefix and a %00 to truncate off the suffix. Getting the file onto the server is no problem either. DCForum, by default, allows any user to upload any file, by setting az=upload_file. However, there are other ways of getting files onto the server, so even servers that disable uploading are vulnerable. Solution: Patch dcboard.cgi to remove double dots and poison nulls Disable uploading (Note: this solution by no means ensures DCForum's security; it merely is a band-aid for this vulnerability) Franklin DeMatto franklinat_private qDefense - DEFENDING THE ELECTRONIC FRONTIER
This archive was generated by hypermail 2b30 : Tue Apr 17 2001 - 01:35:47 PDT