CGIscript.net - csNews.cgi - Multiple Vulnerabilities

From: Steve Gustin (stegus1at_private)
Date: Tue Jun 11 2002 - 14:00:51 PDT

Next message: securityat_private: "Security Update: [CSSA-2002-026.0] Linux: ghostscript arbitrary command execution"

Previous message: John C. Welch: "Re: remote DoS in Mozilla 1.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

CGIscript.net - csNews.cgi - Multiple Vulnerabilities
---------------------------------------------------------------------
Date      : June 11, 2002
Product   : csNews.cgi (csNews standard)
            csNews.cgi (csNews Pro)

Vendor    : WWW.CGIscript.NET, LLC.
Homepage  : http://www.cgiscript.net/

DISCUSSION:
---------------------------------------------------------------------
From the website "Update and maintain articles and
news items on your web site with this full-featured
and extremely flexible content management system."

The following issues have been found:

ACCESS REQUIRED : NONE

- path disclosure vulnerability, filepath, ENV, and
config data displayed by errors
  CSNews.cgi?command=viewnews&database=none

- Database files can be viewed/downloaded by accessing
the database file through a browser. Note: You'll need
to double url encode names!
  "default%2edb".  

- Database usernames and password can be access by
accessing the database style & config file
"database.style". Note: You'll need to double url
encode names! "default%2edb.style".  Usernames or
passwords in this file may be viewable.

ACCESS REQUIRED : "ANONYMOUS" or "PASSWORD PROTECTED"
Public Management 

- "Advanced Settings", usually restricted to admin
users, can be viewed, updated and saved by accessing
this URL:
 
CSNews.cgi?database=default%2edb&command=showadv&mpage=manager

- Admin options, usually restricted to admin users,
can be viewed by regular users with this url:
 
CSNews.cgi?command=manage&database=default%2edb&mpage=manager

- "Advanced Settings", user can set any file or system
command to be set for 'header' and 'footer'.  This
could be done by submitting a hand crafted form page,
a perl LWP script, or with this simple javascript. 
This example will display the setup.cgi file which
contains the superuser name and password.

javascript:alert(document.form1.pheader.value='setup.cgi');

javascript:alert(document.form1.pfooter.value='setup.cgi');

- "Advanced Settings", any user will access to the
advanced setting (granted with anonymous access, user
access, or admin access) can execute perl and system
commands by adding any of the following to any text
field:
  \"; PERL_CODE_HERE \"

SOLUTION
---------------------------------------------------------------------
Contact vendor for updated version, only allow
completely trusted users to access the application,
disable access to .style and *db files through
Apache .htaccess files.

DISCLAIMER
---------------------------------------------------------------------
The information within this document may change
without notice. Use of this information constitutes
acceptance for use in an AS IS condition. There are NO
warranties with regard to this information. In no
event shall the author be liable for any consequences
whatsoever arising out of or in connection with the
use or spread of this information. Any use of this
information lays within the user's responsibility.



__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com

Next message: securityat_private: "Security Update: [CSSA-2002-026.0] Linux: ghostscript arbitrary command execution"
Previous message: John C. Welch: "Re: remote DoS in Mozilla 1.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 11 2002 - 14:21:24 PDT