|
Vulnerability DCForum Affected DCForum 2000 1.0 Description Franklin DeMatto (qDefense Advisory QDAV-5-2000-1) found following in DCForum 2000 1.0. Any remote attacker may gain read/write/execute privilleges. This may cause failure to validate input; trust of hidden fields; allow uploading of arbitrary files by default. DCForum is a popular CGI to create message boards on web sites. In line 121 of file dcboard.cgi, there is a line "require <prefix><az hidden form field><suffix>;". (The exact line was not quoted do to copyright limitations.) The perl statement "require EXPR" will open the file EXPR, parse it, and execute it, as regular perl, as if the entire contents of that file appeared at that point. Therefore, an attacker who writes a file containing perl commands to the server will be able to execute them by setting the az field to the name of his file on the server. To make matters worse, no input checking is done on the az field, so as long the file is located anywhere on the server, an attacker can reference it, using double dots to undo the prefix and a %00 to truncate off the suffix. Getting the file onto the server is no problem either. DCForum, by default, allows any user to upload any file, by setting az=upload_file. However, there are other ways of getting files onto the server, so even servers that disable uploading are vulnerable. Solution DCScripts released a security patch on 3/31/2001 designed to address these issues: http://www.dcscripts.com/FAQ/sec_2001_03_31.html