COMMAND

	Avenger\'s News System permits remote command execution

SYSTEMS AFFECTED

	Avenger news 2.01

PROBLEM

	The variable $QUERY is defined in the config file as:
	

	<define QUERY>\"$ENV{\'QUERY_STRING\'}\"

	

	When the script is ran it checks for  a  post,  then  it  checks  for  a
	plugin. The problem is in the plugin subroutine:
	

	  if (substr($QUERY, 0, 2) eq \"p=\")

	  {

	    $plugin = substr((split /&/, $QUERY)[0], 2);

	    if (index(\"$QUERY\", \"&\") < 0) { $QUERY = \"\"; }

	                             else { $QUERY = substr($QUERY, index(\"$QUERY\", 

	\"&\")+1); }

	

	    open (PLUGIN, \"$FILE_LOCATION/$plugin\");

	    @plugin = <PLUGIN>;

	    close (PLUGIN);

	

	    eval(\"@plugin\");

	    exit;

	  }

	

	No input filtering is  done  on  user  input  so  command  execution  is
	possible.
	

	Exploit: ans.pl?p=../../../../bin/command argument|&blah

	

SOLUTION

	No patch yet.
	

	Filter meta characters, .., and use <  <<  >  >>  when  calling
	open(), replace above code with this :
	

	if (substr($QUERY, 0, 2) eq \"p=\"){

		$QUERY =~ s/([\\&;\\`\'\\\\\\|\"*?~<>^\\(\\)\\[\\]\\{\\}\\$\\n\\r])/\\\\$1/g; #filter meta 

	characters

		$QUERY =~ s/\\.\\.//g; #filter double dot (..)

		$plugin = substr((split /&/, $QUERY)[0], 2);

		if (index(\"$QUERY\", \"&\") < 0) { $QUERY = \"\"; }

			else { $QUERY = substr($QUERY, index(\"$QUERY\", \"&\")+1); }

	

		open (PLUGIN, \"<$FILE_LOCATION/$plugin\");  #added a < to the open() - 

	readonly

		@plugin = <PLUGIN>;

		close (PLUGIN);

	

		eval(\"@plugin\");

		exit;

	}