Bugtraq mailing list archives
Re: Security Advisory : eXtropia WebStore (web_store.cgi) Directory Traversal Vulnerability
From: f0bic <f0bic () deadprotocol org>
Date: Mon, 9 Oct 2000 20:10:45 -0400
Dear Mr. Birznieks, I understand your concerns regarding the posting of this security advisory onto bugtraq. In previous advisory releases I have gone to great lenghts to inform the affected companies ahead of time with little or no result. These companies did not implement a fix in later releases neither did they send out a security advisory to their clients. Therefore I have chosen to directly inform the companies or clients that run this affected software through posting an advisory on bugtraq (the most popular site for security announcements, fixes, and releases, where i.e. microsoft, redhat, bsd releases it's security advisories). The information enclosed in my advisory may have been fixed in the latest release of your product, but there are still a lot of your clients out there using one of the older versions of your product. I apologize for any inconvience that I may have caused, but I feel it's necessary in light of past attempts to inform companies of these security vulnerabilities in order that they may be fixed. I appreciate your unusually quick response to this matter. In the future I will take the necessary steps to see that affected companies receive the information prior to release on bugtraq. Thank You, f0bic () deadprotocol org On Mon, 09 Oct 2000, you wrote:
I have to say that I am a bit upset about this post for several reasons. 1) I do not believe this is a vulnerability in our current web store release and hasn't been for quite a long time. eg the subroutine you cite as having a problem: error_check_form_data() is actually called AFTER I've gone through an untainting procedure on the page which explicitly only allows word chars (\w), -, =, +, / plus one and only one period followed by one or more word characters (\w+). Then $page is reassigned to $1.$2, so that if any null byte existed afterwards, then this would be stripped out of the $page. In other words, I find it difficult to believe this is a currently problem based on the information you posted. At best you can only say that this was a problem maybe 2 years ago. Old news -- we already posted to all our users that we put security fixes for this back then. 2) Even if this is a vulnerability, you did not notify eXtropia before posting this! If you search the past posts here, you will see that it is irresponsible for you to be posting vulnerabilties without notifying the vendor first. a) You risk spreading misinformation and causing extra work for people checking vulnerabilities where none exist. As stated in #1, I believe this is the case here. b) You don't know the script very well. The vendor does. If you have a security vulnerability report to make, you should ask the vendor whether your fix is actually valid. I don't care if you are a genius IQ, nobody but the person who coded the script tends to know it best. Just because you find a vulnerability does not mean that you know how to solve it in the best and most efficient way possible nor that you know the side effects such a fix might make to the rest of the programs operation. c) You are informing hackers of a vulnerability in a product way before the users of that product! That's irresponsible. You need to give the vendor the chance (if only a DAY!!!) to fix the problem and notify all their users. Most users of free CGI scripts are normal business people and part-time webmasters -- they don't subscribe to lists such as these because they are way too technical and contain too much traffic for them to decipher. All you succeed in doing here is telling the intellectuals who read this list (many of whom may be hackers themselves) how to hack into someone else's system. Only the vendor has the customer list of who is using their scripts or applications, so only the vendor can really notify the users. Anyway, I am really glad that there are people like you who take the time to figure out security vulnerabilities. But please temper your special gift with some responsibility for the community at large. :) Thanks, Gunther At 03:45 AM 10/9/2000 -0400, f0bic wrote:[ October 9, 2000 ] Security Advisory (web_store.cgi.ad-1.00-10) : eXtropia WebStore (web_store.cgi) Directory Traversal Vulnerability Affected Product/Version: * eXtropia WebStore (web_store.cgi/html_web_store.cgi) Affected Platforms: * Unix * Windows Overview: The Web Store is a shopping cart product by eXtropia. This script merges Selena Sol's Electronic Outlet HTML and Database shopping cart apps and adds all new routines for error handling, order processing, encrypted mailing, frames, Javascript and VBscript. Description: The Web Store is made up of a variety of scripts, of which one is the main routine, web_store.cgi. The $page variable, lets you display product/shopping html files. web_store.cgi checks for the file extension of the $page input, it has to be ended by a .html extension. In other words, http://example.com/cgi-bin/Web_Store/web_store.cgi?page=page.html, would open page.html in the browser. It checks for the .html extension like so: sub error_check_form_data { foreach $file_extension (@acceptable_file_extensions_to_display) { if ($page =~ /$file_extension/ || $page eq "") { $valid_extension = "yes"; } } The open() call is displayed here: sub display_page { local ($page, $routine, $file, $line) = @_; # the subroutine begins by opening the requested file for # reading, exiting with file_open_error if there is a # problem as usual. open (PAGE, "<$page") || &file_open_error("$page", "$routine", $file, $line); Taking this information into account, if you would want to open the /etc/inetd.conf file, a request for http://example.com/cgi-bin/Web_Store/web_store.cgi??page=../../../../../../../../etc/inetd.conf would fail since it does not fullfill the $file_extension check. This problem can be bypassed by using a NULL (%00) character that by perl is seen as a character, but by the underlaying language is interpreted as a \0 escape sequence character. All the characters following the %00 will be ignored and so the file can be opened in the following manner: http://example.com/cgi-bin/Web_store/web_store.cgi?page=../../../../../../../../etc/inetd.conf%00.html This will result in opening the /etc/inetd.conf file. In this manner, arbitrary files could be read. Solution: By the use of regex you could add better input validation checking that prevents double dot strings from being passed through the open() call. Resources & References: * eXtropia's Webpage: http://www.extropia.com --------------------------------- by f0bic (f0bic () deadprotocol org) zSh - http://zsh.interniq.org__________________________________________________ Gunther Birznieks (gunther.birznieks () extropia com) eXtropia - The Web Technology Company http://www.extropia.com/
Current thread:
- Security Advisory : eXtropia WebStore (web_store.cgi) Directory Traversal Vulnerability f0bic (Oct 09)
- Re: Security Advisory : eXtropia WebStore (web_store.cgi) Directory Traversal Vulnerability Gunther Birznieks (Oct 10)
- Re: Security Advisory : eXtropia WebStore (web_store.cgi) Directory Traversal Vulnerability f0bic (Oct 10)
- Re: Security Advisory : eXtropia WebStore (web_store.cgi) Directory Traversal Vulnerability Gunther Birznieks (Oct 10)