Vulnerability

    Gnatsweb

Affected

    Gnatsweb 2.7beta, 2.8.0, 2.8.1, 3.95 for GNATS 4, versions from CVS prior to June 26

Description

    Joost Pol  found   following.   In Gnatsweb  2.7 beta,  a new help
    system was introduced.  The  standard help text was provided  in a
    separate  file  named  'gnatsweb.html'.   For  some  reason it was
    decided to allow the name of  the help file to be customized,  and
    it was possible to specify  this filename by providing a  value to
    the help_file parameter in a request URL.  If a URL such as

        http://www.whatever.whatever/cgi-bin/gnatsweb.pl?cmd=help&help_file=somefile.html

    was  used  to  access  Gnatsweb,  the  file somefile.html would be
    served up as help  text instead.  The  problem was that the  value
    of this parameter was never checked before it was used in an  OPEN
    statement.

    By  judicious  use  of  special  characters  in  the  value of the
    help_file  parameter,  an  attacker  would  be  able  to  read the
    contents  of  any  file  or  execute  any command to which the web
    server process user had access.

Solution

    Download and apply the patch  for your version of Gnatsweb.   This
    fix  hardcodes  the  name  'gnatsweb.html'  for  the help file and
    makes a slight modification to the way the file is opened.

    Gnatsweb  3.95  is   part  of  the   yet-to-be-released  GNATS   4
    distribution.   Versions  checked  out  of  the  CVS repository on
    sources.redhat.com prior  to Jun  26 2001  12:15 PDT  contain this
    bug.  Users running such versions should check out a new version.

    A new version of Gnatsweb incorporating this fix, numbered  2.8.2,
    is  available  from  the  FTP  site on sources.redhat.com and from
    ftp.gnu.org and its mirrors.