SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   CSVForm Vendors:   EZScripting.com
CSVForm Perl Script Input Validation Bug Lets Remote Users Execute Arbitrary Code With the Privileges of the Web Server
SecurityTracker Alert ID:  1002941
SecurityTracker URL:  http://securitytracker.com/id/1002941
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 11 2001
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): v0.1
Description:   A vulnerability was reported in the CSVForm perl script used to add records to a CSV-formatted database file. A remote user can supply commands to the script that will be executed with the privileges of the web server.

A remote user can supply an operating system command as an HTML variable to the script that will be executed by the script. The following type of URL can reportedly be used to trigger the vulnerability:

http://[targethost]/cgi-bin/csvform.pl?file=COMMAND_GOES_HERE%00|

Impact:   A remote user can execute arbitrary code on the server with the privileges of the web server.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.ezscripting.com/scripts/csvform1.html (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  CSVForm (Perl CGI) Remote Execution Vulnerability


// Script:  CSVForm.pl v0.1 and possibly CSVFormPlus
// Problem:  Remote command execution
// Homepage: http://www.ezscripting.com/scripts/csvform.html
// Script Author:  Mutasem Abudahab

Overview
-----------
CSVForm is a CGI Perl script designed to add records to a CSV database file.
The CSV database file to be used is selected using a html hidden tag and I
assume this is to allow the same script to be used within multiple forms and
csv data files.
This script doesn't appear to be actively maintained yet it does appear to
be used on a number of web sites.  Unfortunately for those who adhere to the
authors request to notify him of its use, they may be particularly
vulnerable if they happen to be listed under the "Check out sites using our
scripts" link located on the homepage.

Description of problem
---------------------------
Examing the script shows that after the query is parsed and the parameter of
file obtained, it is passed directly to the following code sample
unfiltered.

sub modify_CSV
{
if(open(CSV,$_[0])){
 }
 else{
        goto &produce_error(
                "Can't open CSV file.\n",
                "Please, check that you have provided the cgi script with
correct CSV file",
                " path in the HTML form.\n"
                );
        }


Example of exploit
----------------------
http://server/cgi-bin/csvform.pl?file=COMMAND_GOES_HERE%00|


Fix / workaround
--------------------
Hardcode path to csv data file or apply proper input validation.

Attempts to notify the author have failed as it seems his email has
backlogged to the point at which no further emails are being accepted.


Jason Gomes
jasong@home.com

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC