[SUPERPETZ ADVISORY #001 - agora.cgi Secret Path Disclosure Vulnerability]

From: superpetzat_private
Date: Mon Jan 28 2002 - 17:28:02 PST

  • Next message: PSIRT (Product Security Incident Response Team): "Cisco Security Advisory: Cisco CatOS Telnet Buffer Vulnerability" 

    [SUPERPETZ ADVISORY #001 - agora.cgi Secret Path Disclosure Vulnerability]

 oO ____.
{+_'____.=== 
   /\  /\


TITLE: agora.cgi Secret Path Disclosure Vulnerability
-----

discovery date: January 28th, 2002. 
--------------

publication date: January 28th, 2002.
----------------

impact: sub-minor
------

local: nada
-----

remote: yes!
------

introduction:
------------

agora.cgi is a special "jazzed up" shopping cart product written by Steve Kneizys. If you wanna have fun, you can make a special store that sells pretend contraband blank US passports, like I did.

Check it out here:

http://www.agoracgi.com/

background:
----------

This is what is known as a path disclosure vulnerability.  It is not terribly exciting. The general idea behind this issue is that an error page is giving out some potentially sensitive information.  Sometimes this information is actionable, other times it is totally "big whup!".  Regardless, it is just a bad policy for a CGI to spew out sensitive information of any variety. 

details:
-------

This issue can be easily reproduced.  It appears to only be an issue in debug mode.  Ideally, live stores will not have debug mode on, but you never know... by the vendor's own admission, he accidentally had his own site running in debug mode.

I enter the following URL:

http://agoracgistorehost/cgi-bin/store/agora.cgi?page=pretendpage.html

(please note: pretendpage.html represents a non-existent .html file.  It does not represent a cheeky pretend product page, like for example the one I made for contraband black market passports.) 

I get the following feedback (yay!):

ERROR:FILE OPEN ERROR-./html/pages/pretendpage.html
FILE: /home/httpd/cgi-bin/store/agora.cgi
LINE: 1114

This shows the absolute path to the cgi-bin directory that agora.cgi is located in. 

Please consider that agora.cgi is not a dumb program.  It does not like my attempts to feed the "?page=" parameter with a directory traversal or a file that does not have a .htm/.html extension.  It just has a tendency to blab the absolute path.  My discovery of this vulnerability is purely coincidental.  I tried the more malicious type stuff after finding it.

workarounds/solutions:
---------------------

Do not run your agora.cgi store in debug mode. 

vendor response:
---------------

The vendor provided a courteous and timely response to this issue.  He mentioned a cross-site scripting issue with the debug mode.  No mention of a fix.  Just advises me not to run the program in debug mode.

terms of vulnerability disclosure:
---------------------------------

The vendor did not cause me headaches or nosebleeds.  The issue is really minor and conditional with a sufficient workaround to mitigate the problem.  Based on this criteria I decided to disclose immediately.

copyright:
---------

I don't care if you copy this in whole or in part. Don't matter much to me.

contact:
-------

superpetzat_private

    This archive was generated by hypermail 2b30 : Mon Jan 28 2002 - 17:38:02 PST