Bugtraq mailing list archives
Re: Security Advisory : eXtropia WebStore (web_store.cgi) Directory Traversal Vulnerability
From: Gunther Birznieks <gunther () EXTROPIA COM>
Date: Tue, 10 Oct 2000 10:36:32 +0800
I have to say that I am a bit upset about this post for several reasons.
1) I do not believe this is a vulnerability in our current web store
release and hasn't been for quite a long time.
eg the subroutine you cite as having a problem: error_check_form_data() is
actually called AFTER I've gone through an untainting procedure on the page
which explicitly only allows
word chars (\w), -, =, +, / plus one and only one period followed by one or
more word characters (\w+). Then $page is reassigned to $1.$2, so that if
any null byte existed afterwards, then this would be stripped out of the $page.
In other words, I find it difficult to believe this is a currently problem
based on the information you posted. At best you can only say that this was
a problem maybe 2 years ago. Old news -- we already posted to all our users
that we put security fixes for this back then.
2) Even if this is a vulnerability, you did not notify eXtropia before
posting this!
If you search the past posts here, you will see that it is irresponsible
for you to be posting vulnerabilties without notifying the vendor first.
a) You risk spreading misinformation and causing extra work for people
checking vulnerabilities where none exist. As stated in #1, I believe this
is the case here.
b) You don't know the script very well. The vendor does. If you have a
security vulnerability report to make, you should ask the vendor whether
your fix is actually valid.
I don't care if you are a genius IQ, nobody but the person who coded the
script tends to know it best. Just because you find a vulnerability does
not mean that you know how to solve it in the best and most efficient way
possible nor that you know the side effects such a fix might make to the
rest of the programs operation.
c) You are informing hackers of a vulnerability in a product way before the
users of that product! That's irresponsible. You need to give the vendor
the chance (if only a DAY!!!) to fix the problem and notify all their users.
Most users of free CGI scripts are normal business people and part-time
webmasters -- they don't subscribe to lists such as these because they are
way too technical and contain too much traffic for them to decipher.
All you succeed in doing here is telling the intellectuals who read this
list (many of whom may be hackers themselves) how to hack into someone
else's system. Only the vendor has the customer list of who is using their
scripts or applications, so only the vendor can really notify the users.
Anyway, I am really glad that there are people like you who take the time
to figure out security vulnerabilities. But please temper your special gift
with some responsibility for the community at large.
:)
Thanks,
Gunther
At 03:45 AM 10/9/2000 -0400, f0bic wrote:
[ October 9, 2000 ]
Security Advisory (web_store.cgi.ad-1.00-10) : eXtropia WebStore
(web_store.cgi) Directory Traversal Vulnerability
Affected Product/Version:
* eXtropia WebStore (web_store.cgi/html_web_store.cgi)
Affected Platforms:
* Unix
* Windows
Overview:
The Web Store is a shopping cart product by eXtropia. This script
merges Selena Sol's Electronic Outlet HTML
and Database shopping cart apps and adds all new routines for
error handling, order processing, encrypted mailing,
frames, Javascript and VBscript.
Description:
The Web Store is made up of a variety of scripts, of which one is
the main routine, web_store.cgi. The $page variable,
lets you display product/shopping html files. web_store.cgi
checks for the file extension of the $page input, it has
to be ended by a .html extension. In other words,
http://example.com/cgi-bin/Web_Store/web_store.cgi?page=page.html,
would open page.html in the browser. It checks for the .html
extension like so:
sub error_check_form_data
{
foreach $file_extension
(@acceptable_file_extensions_to_display)
{
if ($page =~ /$file_extension/ || $page eq "")
{
$valid_extension = "yes";
}
}
The open() call is displayed here:
sub display_page
{
local ($page, $routine, $file, $line) = @_;
# the subroutine begins by opening the requested file for
# reading, exiting with file_open_error if there is a
# problem as usual.
open (PAGE, "<$page") ||
&file_open_error("$page", "$routine", $file, $line);
Taking this information into account, if you would want to open
the /etc/inetd.conf file, a request for
http://example.com/cgi-bin/Web_Store/web_store.cgi??page=../../../../../../../../etc/inetd.conf
would fail since it
does not fullfill the $file_extension check. This problem can be
bypassed by using a NULL (%00) character that by
perl is seen as a character, but by the underlaying language is
interpreted as a \0 escape sequence character.
All the characters following the %00 will be ignored and so the
file can be opened in the following manner:
http://example.com/cgi-bin/Web_store/web_store.cgi?page=../../../../../../../../etc/inetd.conf%00.html
This will result in opening the /etc/inetd.conf file. In this
manner, arbitrary files could be read.
Solution:
By the use of regex you could add better input validation
checking that prevents double dot strings from being passed
through the open() call.
Resources & References:
* eXtropia's Webpage: http://www.extropia.com
---------------------------------
by f0bic (f0bic () deadprotocol org)
zSh - http://zsh.interniq.org
__________________________________________________ Gunther Birznieks (gunther.birznieks () extropia com) eXtropia - The Web Technology Company http://www.extropia.com/
Current thread:
- Security Advisory : eXtropia WebStore (web_store.cgi) Directory Traversal Vulnerability f0bic (Oct 09)
- Re: Security Advisory : eXtropia WebStore (web_store.cgi) Directory Traversal Vulnerability Gunther Birznieks (Oct 10)