Re: Cgisecurity.com Advisory #3.1

["admin () cgisecurity com" <admin () CGISECURITY COM>]

The staff at cgisecurity.com made an error in how part of the advisory was worded
and placed a update located at www.cgisecurity.com. The problem with how we worded it was that
it may appear that we said that versions with perl -t mode allowed command execution.
This is not true they will on the otherhand allow remote file reading with this particular
advisory #3.1.

10 out of 10 websites tested in the wild allowed command execution and remote file reading
,and we had not found the newer versions that extropia.com had mentioned except on there own
webpage.

After emailing them they were very helpful and quick to issue a patch to help there users.
They also discovered another security issue with the same script that may not have been found
if not for the initial problem.


-zenomorph

> Clarification to the remote execution versus remote file reading portion of
> the advisory:
>
> 1) Very old versions of bbs_forum.cgi suffered from ability to execute
> commands through lack of input handling.
>
> This was fixed several years ago two-fold: (1) adding taint mode and (2)
> tightening perl's open() commands so that the file operator (eg <) were
> included literally instead of relying on the default open operator being
> "open for read".
>
> Part of this advisory was written from testing this pre-taintmode version
> of the script.
>
> 2) However, taintmode does not check user input for reading files. So a
> directory traversal/arbitrary file reading bug remained in the read
> parameter when used in conjunction with several other input parameters as
> stated below.
>
> When we were alerted by CGISecurity.com, we also gave the script another
> quick once-over and discovered a different but similar domino effect on the
> reply_to_message parameter as well.
>
> Both those problems are fixed with the patch we provided below in
> CGISecurity's posting.
>
> In summary, those people running a version of bbs_forum.cgi without
> taintmode are running a really old version and should upgrade completely as
> they've ignored our prior security alerts.
>
> Those people who do have taintmode enabled in the script can safely assume
> the patch below is the only patch they require.
>
> At 04:52 PM 1/7/01 -0500, admin () cgisecurity com wrote:
> > The staff at cgisecurity.com have found a security issue with a
> > forum script that is widley used.
> >
> > Below is the advisory along with the vendor patch.
> >
> > -zenomorph
> >
> >                                         [Cgi Security Advisory #3.1]
> >                                           admin () cgisecurity com
> >                                                bbs_forum.cgi
> >
> >
> >
> > Found
> > January 3rd 2001
> >
> > Vendor Contacted
> > January 3rd 2001
> >
> > Public Release
> > January 7th 2001
> >
> >
> >
> > Script Effected: bbs_forum.cgi
> > Free
> >
> > Versions Effected:
> > 1.0
> > (Others unknown)
> >
> > Platforms
> > UNIX
> >
> > Vendor
> > http://www.extropia.com
> > Patch
> > http://www.extropia.com/hacks/bbs_security0.html
> >
> >
> >
> >
> > 1. Impact
> >
> > Any file can be read with the permissions of user nobody(or webserver).
> > Possible root comprimise in bbs_forum.cgi script. Command execution is
> > allowed and therefore shell spawning is possible. This has been tested on
> > unix and linux systems only and it is unknown if windows versions exist
> > and/or are effected.
> >
> > One thing to be noted about this hole is that perl was in taint mode, and
> > still allowed files to be read, and commands to be executed. This was
> > not originally intended. This is proof that perl -t is not always
> > enough.
> >
> > Example:
> >
> > www.host.com/cgi-bin/bbs_forum.cgi?forum=<valid forum
> > name>&read=../bbs_forum.cgi
> > Will grab the scripts own sourcecode.
> > Note: In order for this hole to work a valid forum name must be used,
> > so simply trying to call read= only may not work.
> >
> > 2. Fixes
> >
> > The vendor has been contacted about this serious security problem.
> > Please visit the vendor's website for patches and other important
> > information.
> >
> >
> >
> > 3. Attached Vendor Patch
> >
> > Note: This is a patch for people who know what they are doing.
> > Please visit http://www.extropia.com/hacks/bbs_security0.html
> > for information on upgrading.
> >
> >
> >
> > ********************* Vendor patch snippet **************************
> >
> > If you have made extensive modifications to bbs_forum.cgi and do not wish
> > to start over from scratch, search for the line at the start of
> > bbs_forum.cgi that says
> >
> >                       &ReadParse;
> >
> >                       And insert afterwards the following:
> >
> >                       if ($in{'read'} && $in{'read'} !~ /^\d+-\d+\.msg$/i)
> > {
> >                           print "Invalid Message #";
> >                           die("Invalid Message # provided: " .
> >                                   $in{'read'});
> >                       }
> >                       if ($in{'reply_to_message'} &&
> > $in{'reply_to_message'} !~ /^\d+-\d+\.msg$/i) {
> >                           print "Invalid Reply To Message #";
> >                           die("Invalid Reply To Message # provided: " .
> >                                   $in{'reply_to_message'});
> >                       }
> >
> > This code assures the script that the message file
> > form variables can only consist of the strict filename format of digits
> > followed by a hyphen followed by some digits followed by the literal
> > string ".msg".
> >
> > We recommend updating your script as soon as possible.
> > Special thanks to cgisecurity.com for pointing our the issue.
> >
> >
> > **************************** End Patch ******************************
> >
> > Published to the Public January 2001
> > Copyright January 2001 Cgisecurity.com
>
> __________________________________________________
> Gunther Birznieks (gunther.birznieks () extropia com)
> eXtropia - The Web Technology Company
> http://www.extropia.com/