Re: CGI: Selena Sol's WebBanner ( Random Banner Generator ) Vulnerability

[ron () GWMICRO COM (Ron Parker)]

At 08:55 AM 6/13/2000 +0200, Johannes Westerink wrote:
>        Application Name: WebBanner (Random Banner Generator)
>     Application Authors: Eric Tachibana (Selena Sol) and Gunther Birznieks
>                 Version: 4.0
>           Last Modified: 17NOV98
>                    Site: http://www.extropia.com

[...]

There's code in the script that's supposed to stop this exploit.  It'd
probably
be better to fix that instead, assuming it's actually broken.  Did you
actually
test this exploit against a running installation, or is this advisory based
solely on static analysis?

------- snippet from earlier in the WebBanner script ----------
    # If they try to go outside the directory kill the program
    if ($form_data{'html_file'} =~ /\.\\?\./ ||
        $form_data{'html_file'} !~ /\.htm.?$/i) {
        $form_data{'html_file'} = "";
        exit(0);
    }
------- end snippet ---------

>                       &CgiDie ( "I'm sorry, but I was unable to open the requested
>       HTML file in the Insert Random Banner Into Page routine.  The
>        value I have is $html_file.  Would you please check the path and
>        the permissions for the file." );

This isn't safe, and it's also in the original WebBanner script.  Note that
CgiDie
outputs the error message *to the user*.  Imagine what happens when some
black hat
redirects their users to your script with suitable javascript in place of
html_file
(making sure to avoid the .. or .\. sequence of characters, and to end it
with .htm.)
See http://www.cert.org/advisories/CA-2000-02.html for more details on this
common
problem.  Also note that this does not appear to be the only instance of
this problem
in the WebBanner script.

--
Ron Parker
GW Micro, Inc.
Voice 219-489-3671
Fax 219-489-2608