Dear Mr. Ripke, A response regarding security issues in wwwisis 3.x follows. Should you have any comments, please do not hesitate in contact us. Best regards, JOrge Walters Gastelu jorgeat_private BIREME/PAHO/WHO +---------------------------+ |WWWIsis 3.x security issue | +---------------------------+ The security issue reported by Mr. Klaus Ripke (kripat_private) exists. It affects only wwwisis 3.x versions and does not affect later releases (current version is 5.0). As Mr. Ripke describes it, a security hole exists when "prolog" and/or "epilog" parameters are passed in the query string with malicious values such as system calls. SOLUTION Of course the recommended action is to upgrade wwwisis to version 5.0. It has been completely rebuild and incorporates a lot of new features such as XML manipulation. For those that will not upgrade and/or need to protect legacy systems a solution follows. Wwwisis 3.x versions are not longer maintained and developers should take care of the problem at application level following simple rules in using prolog/epilog parameters. The security issue occurs only in two situations: a) PROLOG/EPILOG parameters are set before CGI parameter in de "somefile.in" file. The solution in this case is to move them at the end of the CGI declaration. This change should not affect program's logic. Example: a "somefile.in" file for wwwisis: db=/db/some pft=@some.pft prolog=@prolog.pft epilog=@epilog.pft cgi='bool=',(if v100^n='boolean' then v100^v fi)/ should be changed to: db=/db/some pft=@some.pft cgi='bool=',(if v100^n='boolean' then v100^v fi)/,'prolog=@prolog.pft'/,'epilog=@epilog.pft'/, all in one line. b) PROLOG/EPILOG parameters are not set. To create wwwisis scripts without setting prolog/epilog parameters is a non common situation. In this case, just declare the parameters as 'epilog=,' and 'prolog=,' at the end of the CGI declaration. Example: a "somefile.in" file for wwwisis: db=/db/some pft=@some.pft cgi='bool=',(if v100^n='boolean' then v100^v fi)/ should be changed to: db=/db/some pft=@some.pft cgi='bool=',(if v100^n='boolean' then v100^v fi)/,'prolog=,'/,'epilog=,'/, When PROLOG/EPILOG parameters are defined as indicated, there is no way to break security through this trick. Even if someone try to redefine the parameters via CGI Query. -----Original Message----- From: Abel Laerte Packer [mailto:abelat_private] Sent: Tuesday, April 02, 2002 2:18 PM To: Klaus Ripke Cc: Bugtraqat_private; vulnwatchat_private; webappsecat_private; certat_private; jorgeat_private Subject: Re: [VulnWatch] vuln in wwwisis: remote command execution and get files Klaus., Thank you for your message. Jorge Walters who is BIREME's Coordiantor for systems development will wirte to you soon. Regards. Abel On Thu, 28 Mar 2002, Klaus Ripke wrote: > Name : wwwisis remote command execution and get files > Software Package : wwwisis > possibly affected : JavaISIS and other tools based on wwwisis > Vendor Homepage : http://www.bireme.br/isis/I/wwwi.htm > Vulnerable Versions: 3.45 verified, probably others > Platforms : Linux verified, probably others > Vulnerability Type : Input Validation Error > Vendor Contacted : 28 Feb 2002 > Vendor Replied : 01 Mar 2002 > > > > CONTACT INFORMATION > ============================================================================ === > > Name : Klaus Ripke > E-mail : kripat_private > > Vendor contact name : Abel Laerte Packer > Vendor contact e-mail : abelat_private > > > > TECHNICAL INFO > ============================================================================ === > > > Introduction: > > wwwisis runs as cgi to query mostly bibliographical databases. > Deployed on probably some hundred systems or more. > While this vuln is probably currently not being exploited, > it's possible to install workarounds right now, > therefore this information is published. > > > Summary: > > In common setups of wwwisis, query parameters can be forged > to have wwwisis execute any (shell) command and display any > readable file as allowed for the user of the cgi process. > Vulnerability can be avoided with careful setup. > > > Description: > > Input parameters from query string are not checked for bad input. > In common plain-vanilla setups such as the examples in the manual, > it is possible to have the process execute any format as sent by the > remote user. The formatting language has some too powerful functions. > There is also an alternate attack possibility abusing PATH_INFO. > > > Impact: > > Ability to execute any command and get any file as allowed for > the cgi process. > > > Exploits: > > Since there is not yet a fix published, > and the vuln is probably currently not being exploited, > details are to follow at a later time. > > > Workaround: > > Avoid wwwisis being called directly -- wrap it up in a perl -t script. > Wipe out any suspicious stuff from query params, clean up the ENV, > then exec wwwisis with a list of params. Read the perlsec manpage. > > > Vendor Status: > > Bireme will check it out. > >
This archive was generated by hypermail 2b30 : Tue Apr 02 2002 - 21:24:15 PST