Overview -------- cgihtml is a collection of routines for parsing World Wide Web (WWW) Common Gateway Interface (CGI) input and outputting HyperText Markup Language (HTML). http://www.eekim.com/software/cgihtml/ According to the authors website, it has potentially been used in the implementation of everything from individual home pages to large e-commerce sites. It was written by Eugene Eric Kim <eekimat_private>, also the publisher of the 'CGI Developer's Guide'. Vulnerabilities -------------- These vulnerabilities were discovered in the current release of cgihtml, version 1.69. == Unsafe temporary file usage The most obvious error is that, when handling form uploads (content type 'multipart/form-data'), cgihtml attempts to create a file in the system /tmp directory (or other directory if configured) using the name provided by the user agent, without doing any checks on the filename. This allows the useragent to trivially write to any file outside /tmp by using a filename with a path containing '../'. == Unsafe temporary file creation The way the temporary file is created is also insecure and could be exploited locally (using symlink attacks or similar). == Unsafe interpretation of content-length cgihtml implicitly trusts the content length specified by the user agent, and allocates memory based on that value in which to store the post data. This is a trivial DOS. == Unsafe memory management and assumption of input structure I have noticed numerous points throughout the code where input is handled insecurely, or the input format is assumed, which can allow the user agent to cause bad memory accesses and most likely buffer overflows. My brief investigation focused on the 'multipart/form-data' processing, but I am assuming similar problems may exist outside this section of the code. As a example, it is assumed that header lines in multipart sections will be structured such that the name of the section can be read beginning at the 38th character of the line, and not attempt is made to verify the buffer contains that amount of data. == Notification I have attempted to contact the author via his email address on the 10/12/2002, but have not received any reply. == Exploit I'm not going to provide any exploit code to take advantage of these issues. However, below is an example user agent request that triggers the first issue mentioned (unsafe temporary file usage). =====request start POST http://someserver.com/blah.cgi HTTP/1.0 User-Agent: Haxor Content-Type: multipart/form-data; boundary=#123456789#multipart#boundary#1234567890# Content-Length: 282 --#123456789#multipart#boundary#1234567890# Content-Disposition: form-data; name="Haxor"; filename="../../../tmp/haxor.html" <HTML> <HEAD><TITLE>Haxor</TITLE></HEAD> <BODY><H1>This page should not be here</H1></BODY> </HTML> --#123456789#multipart#boundary#1234567890#-- =====request end Best Regards, Chris Leishman
This archive was generated by hypermail 2b30 : Tue Jan 21 2003 - 15:22:12 PST