Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   


Try our Premium Alert Service
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service

Category:   Application (Generic)  >   csNewsPro Vendors:   WWW.CGIscript.NET, LLC
csNews Web-News CGI Script Access Control Flaws Let Remote Users View Sensitive Data, Including User Passwords, Modify Administrative Settings, and Execute Commands on the Server
SecurityTracker Alert ID:  1004516
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 11 2002
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   Several vulnerabilities were reported in the csNews web-news script from CGI A remote user can determine the file path, view configuration data, and view database files (including user passwords). A remote authenticated user can view and modify certain administrative settings and execute arbitrary commands on the system.

It is reported that a remote user can determine the full path of the script and can view certain environment variables and configuration data when the user submits a request that results in an error. A demonstration exploit request is provided:


A remote user can view database files by requesting them with double url encoded names, such as:


According to the report, a remote user can obtain database usernames and password via the '' database style and configuration file. Again, double url encoded names are required, such as:

A remote authenticated user (which could include an 'anonymous' user account) can gain access to certain administrative functions on csNews.cgi. The following URL reportedly allows a remote authenticated user to access the 'Advanced Settings':


Administrative options can be viewed with the following type of URL:


When the remote authenticated user accesses the 'Advanced Settings', they can specify any file or system command for the 'header' and 'footer'. To do so, the remote user can submit a hand crafted web form, a Perl LWP script, or some javascript to display the 'setup.cgi' file which reportedly contains the superuser name and password.

The following javascript can be used to view the 'setup.cgi' contents:


Also using the 'Advanced Settings' functions, the remote user can can execute Perl and system commands by adding the Perl code to any text field, such as is shown below:


Impact:   A remote user can determine the file path, view configuration data, and view database files (including user passwords).

A remote authenticated user can view and modify certain administrative settings and execute arbitrary Perl code or system commands on the system. The code would run with the privileges of the web server CGI process.

Solution:   The report implies that the vendor has released a fixed version. The author of the report indicates that users should contact the vendor for updated version.

Also, the author of the report suggests that only trusted users should be permitted to access the application. Access to to .style and *db files should be disabled using Apache '.htaccess' files.

Vendor URL: (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject: - csNews.cgi - Multiple Vulnerabilities - csNews.cgi - Multiple Vulnerabilities
Date      : June 11, 2002
Product   : csNews.cgi (csNews standard)
            csNews.cgi (csNews Pro)

Vendor    : WWW.CGIscript.NET, LLC.
Homepage  :

>From the website "Update and maintain articles and
news items on your web site with this full-featured
and extremely flexible content management system."

The following issues have been found:


- path disclosure vulnerability, filepath, ENV, and
config data displayed by errors

- Database files can be viewed/downloaded by accessing
the database file through a browser. Note: You'll need
to double url encode names!

- Database usernames and password can be access by
accessing the database style & config file
"". Note: You'll need to double url
encode names! "".  Usernames or
passwords in this file may be viewable.

Public Management 

- "Advanced Settings", usually restricted to admin
users, can be viewed, updated and saved by accessing
this URL:

- Admin options, usually restricted to admin users,
can be viewed by regular users with this url:

- "Advanced Settings", user can set any file or system
command to be set for 'header' and 'footer'.  This
could be done by submitting a hand crafted form page,
a perl LWP script, or with this simple javascript. 
This example will display the setup.cgi file which
contains the superuser name and password.



- "Advanced Settings", any user will access to the
advanced setting (granted with anonymous access, user
access, or admin access) can execute perl and system
commands by adding any of the following to any text

Contact vendor for updated version, only allow
completely trusted users to access the application,
disable access to .style and *db files through
Apache .htaccess files.

The information within this document may change
without notice. Use of this information constitutes
acceptance for use in an AS IS condition. There are NO
warranties with regard to this information. In no
event shall the author be liable for any consequences
whatsoever arising out of or in connection with the
use or spread of this information. Any use of this
information lays within the user's responsibility.

Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

Copyright 2018, LLC