SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Free On-line Dictionary of Computing (FOLDOC) Vendors:   Foldoc.org
Free On-line Dictionary of Computing (FOLDOC) CGI Software Allows Users to Execute Certain Commands on the Server (ex: Read Files, Delete Files, List Processes)
SecurityTracker Alert ID:  1001101
SecurityTracker URL:  http://securitytracker.com/id/1001101
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 15 2001
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): all versions
Description:   The Free On-line Dictionary of Computing (FOLDOC) cgi software reportedly does not provide sufficient input validation and may allow remote users to execute certain commands on the server with the privileges of the server.

The problem apparently exists in the "template.cgi" file where an input variable named "$file" is not validated, allowing command execution and remote file viewing.

According to the report, command execution is limited to single commands without switches (e.g., ps,ls,rm).

Impact:   A remote user can execute certain commands on the server. Through this, the remote user can list processes, list files, delete files, and perform other tasks.
Solution:   No solution was available at the time of this entry. The author of the original report lists a workaround: Make sure that the world-executable bit is removed (chmod 750) from the template.cgi file. This appears to work but has not been tested.
Vendor URL:  wombat.doc.ic.ac.uk/foldoc/index.html (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  Cgisecurity.com advisory #4 The Free On-line Dictionary of


The vendor has been contacted on this issue and it is being fixed.
please visit his page for further updates.

Just so all the script kids know it does allow partial command execution.
The only limit to this is commands with arguements.
(EX: limited to single commands like ls,ps)

Debian also has this for download and the link is contained within the advisory.


- zenomorph


***************************************************************************************


                               [Cgi Security Advisory #4]
                                 admin@cgisecurity.com
                      Foldoc The Free On-line Dictionary of Computing




Found
Sometime in 2000
(I forgot about it for awhile)


Public release
March 9th? 2001


Script Effected: The Free On-Line Dictionary of Computing
Price: Its says free silly!


Versions effected:
All versions appear to be


Platforms:
Unix, Linux
(NT/2000 Unknown)


Vendor
www.foldoc.org
http://wombat.doc.ic.ac.uk/foldoc/index.html



2. Problem


The problem lies in a file called template.cgi.
This file has a variable name $file which does not validate its input.
Below is a example of what you would enter in to show the scripts own source
code.

http://hostname/foldoc/template.cgi?template.cgi
(Note: Paths may vary but this seems to be a popular one)

This does allow command execution as well as remote file viewing.
The command execution is limited to single commands without switches.
(Ex: ps,ls,rm) This would LIMIT a attacker from executing a serious of commands
to bind a shell to a port. Command execution is allowed under the permissions
of the webserver which is normally user nobody.



3. Fixes

The vendor has been contacted about this security issue.
Check the vendor webpage for further updates or use the included
vendor patch at the bottom of this advisory.


3a. Temp Fix

Find template.cgi and make sure the executable bit is removed for the world(chmod 750)
We have found 1 site that has done this and there software appears to be working properly.
(Note: Not tested otherwise)



Additional:

We have found that debian also distributes this from a few searches online.
http://packages.debian.org/stable/text/dict-foldoc.html


******************************************************************************************
                                 VENDOR PATCH BELOW THIS LINE
******************************************************************************************

<--- Insert patch here --->
The main change was to check the filename from the QUERY_STRING:

  # Check for dodgy paths in file
  if ($file =~ m|/|) {print "Bad file \"$file\""; exit 0}

and add a "<" to try to ensure that it is only opened for reading

  unless (open IN, "< $file") {print "Can't read $file: $!\n"; exit 0}

<--- End of patch --->


Note: Patch included from vendor. It will on the otherhand
still allow reading of any file in the present dir which means that
if you have any important files with passwords in this directory
you have been warned.

This script needs to be able to read various file types and the vendor
decided not to limit it to certain file types only. While this may normally
be a good idea to incorperate this script lies within its own directory of "foldoc".
This means only files within "Foldoc" could be read.



Published to the Public March 2001
Copyright March 2001 Cgisecurity.com

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC