COMMAND

	Multiple cgihtml vulnerabilities

SYSTEMS AFFECTED

	?

PROBLEM

	Chris Leishman [chris@leishman.org] says :
	
	cgihtml is a collection of routines for parsing  World  Wide  Web  (WWW)
	Common Gateway Interface (CGI) input  and  outputting  HyperText  Markup
	Language (HTML).
	
	http://www.eekim.com/software/cgihtml/
	
	According to the authors website, it has potentially been  used  in  the
	implementation  of  everything  from  individual  home  pages  to  large
	e-commerce sites.
	
	It was  written  by  Eugene  Eric  Kim  <eekim@eekim.com>,  also  the
	publisher of the 'CGI Developer's Guide'.
	
	
	 Vulnerabilities
	 ---------------
	
	These  vulnerabilities  were  discovered  in  the  current  release   of
	cgihtml, version 1.69.
	
	== Unsafe temporary file usage
	
	The most obvious error is that,  when  handling  form  uploads  (content
	type 'multipart/form-data'), cgihtml attempts to create a  file  in  the
	system /tmp directory (or other directory if configured) using the  name
	provided by the user agent, without doing any checks  on  the  filename.
	This allows the useragent to trivially write to any  file  outside  /tmp
	by using a filename with a path containing '../'.
	
	== Unsafe temporary file creation
	
	The way the temporary file is created is  also  insecure  and  could  be
	exploited locally (using symlink attacks or similar).
	
	== Unsafe interpretation of content-length
	
	cgihtml implicitly trusts the  content  length  specified  by  the  user
	agent, and allocates memory based on that value in which  to  store  the
	post data.  This is a trivial DOS.
	
	== Unsafe memory management and assumption of input structure
	
	I have noticed numerous  points  throughout  the  code  where  input  is
	handled insecurely, or the input format is assumed, which can allow  the
	user  agent  to  cause  bad  memory  accesses  and  most  likely  buffer
	overflows. My brief investigation focused on  the  'multipart/form-data'
	processing, but I am assuming similar problems may  exist  outside  this
	section of the code.
	
	As a example, it is assumed that  header  lines  in  multipart  sections
	will be structured such that  the  name  of  the  section  can  be  read
	beginning at the 38th character of the line, and not attempt is made  to
	verify the buffer contains that amount of data.
	
	--snip--
	
	below is an example user agent request that  triggers  the  first  issue
	mentioned (unsafe temporary file usage).
	
	=====request start
	POST http://someserver.com/blah.cgi HTTP/1.0
	User-Agent: Haxor
	Content-Type: multipart/form-data; boundary=#123456789#multipart#boundary#1234567890#
	Content-Length: 282
	
	--#123456789#multipart#boundary#1234567890#
	Content-Disposition: form-data; name="Haxor"; filename="../../../tmp/haxor.html"
	
	<HTML>
	<HEAD><TITLE>Haxor</TITLE></HEAD>
	<BODY><H1>This page should not be here</H1></BODY>
	</HTML>
	
	--#123456789#multipart#boundary#1234567890#--
	=====request end
	

SOLUTION

	?