Bugtraq mailing list archives
Lasso CGI security hole (fwd)
From: t25 () VAKUUM NET (Christian Horchert)
Date: Tue, 19 Aug 1997 09:20:40 +0200
---------- Forwarded message ---------- Date: Sun, 17 Aug 1997 22:49:12 -0500 From: Chuck Shotton <cshotton () biap com> Reply-To: WebSTAR-Dev <webstar-dev () starnine com> To: webstar-talk () starnine com, webstar-dev () starnine com Subject: SECURITY ALERT! Lasso CGI security hole It has recently been discovered that the Lasso CGI product from Blue World Communications, Inc. has a security flaw that can make it possible for any file on any Macintosh web server supporting CGIs to be accessed regardless of security restrictions imposed by the web server. StarNine Technologies is advising users of its WebSTAR servers to remove the current Lasso CGI from active use and replace it with an updated version of Lasso that can be obtained from Blue World. Blue World is aware of the problem and has already created patches correcting this behavior. These updates are available from their web site at <http://www.blueworld.com/>. It should be noted that this problem with Lasso will affect any web server application that has the capability of running this specific CGI, regardless of server vendor. Users of other web server applications should take action as well. While the security flaw allows only read access to data stored on the server, this data may include secure information, access control information, or other data that may grant a higher level of access to the server via another mechanism. Read access is unrestricted and references to the data fork of any file on any mounted volume can be gained through this flaw. It is important to note that this is a problem with one specific CGI application and is NOT a problem related to the Mac O/S or any Mac web server product. This type of problem is inherently possible in the CGI process, can exist on any hardware platform, any O/S, and any server since it is up to CGI authors to ensure the security of their responses to WWW clients. This is a very isolated problem and Blue World has already corrected it in the versions of Lasso now available on-line. In addition, if you are using other CGIs or plug-ins that return data from your web server's file system, you should confirm with the appropriate vendor(s) that no potential problem exists and that the plug-in or CGI honors all the security restrictions of the parent web server. StarNine has already performed a security audit to confirm that no such security holes exist in the plug-in and CGI products it authors and ships with its WebSTAR family of servers. --_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- Chuck Shotton StarNine Technologies, Inc. chuck () starnine com http://www.starnine.com/ cshotton () biap com http://www.biap.com/ "Shut up and eat your vegetables!!!" -- C.
Current thread:
- Lasso CGI security hole (fwd) Christian Horchert (Aug 19)