COMMAND

	multiple CGIscript.net scripts remote code execution

SYSTEMS AFFECTED

	 csGuestbook

	 csLiveSupport

	 csNewsPro

	 csChatRBox

	

PROBLEM

	Steve Gustin  found  following  vulnerabilities  on  some  CGIscript.net
	scripts :
	

	CGIScript.net distributes a number  of  free  and  commercial  perl  cgi
	scripts developed by Mike Barone and Andy Angrick. Last month  a  Remote
	Code Execution  vulnerability  was  found  in  their  csSearch  product,
	further research and information provided by  the  Vendor  has  revealed
	that four (4) additional scripts have the same vulnerability.
	

	These scripts are:
	

	 csGuestBook   - guestbook program

	 csLiveSupport - web based support/chat program

	 csNewsPro     - website news updater/editor

	 csChatRBox    - web based chat script

	

	These scripts stores their configuration data as perl  code  in  a  file
	called \"setup.cgi\" which is eval()uated by the script to load it  back
	into memory at runtime. Due to an Access Validation Error, any user  can
	cause configuration data to be written to  \"setup.cgi\"  and  therefore
	execute arbitrary perl code on the server.
	

	

	 EXPLOIT 

	 =======

	

	Configuration data is (typically) saved with the following URL.
	

	

	scriptname.cgi?command=savesetup&setup=PERL_CODE_HERE

	

	

	Note that any perl code would need to be URL encoded. A  malicious  user
	could essentially execute any arbitrary perl  code  or  shell  commands.
	Only csChatRBox was  tested  for  this  vulnerability,  however,  Vendor
	stated the other scripts were also affected.
	

	SysAdmins wanting to scan for affected  scripts  should  check  for  the
	following   filenames:    \"csGuestbook.cgi\",    \"csLiveSupport.cgi\",
	\"csNews.cgi\", \"csChatRBox.cgi\".
	

	

	 IMPACT

	 ======

	

	Because of the high number of users who are using CGIscript.net  scripts
	(over 17,000 csSearch users alone according  to  the  website)  and  the
	fact that search engines can easily be used to identify sites  with  the
	unique \"csScriptName.cgi\" script names, the risk posed by these  flaws
	is very high indeed.
	

	Additionally, because the  Vendor  does  not  post  version  numbers  or
	changlogs (that we could find) on their website or with their  software,
	and because the patched version  of  csChatRBox  has  the  same  version
	number of the vulnerable version (1.0), it may make  it  more  difficult
	for users to determine whether or not  their  script  is  vulnerable  or
	not.
	

	

SOLUTION

	Vendor has released updated versions of  all  the  affected  scripts  to
	patch the flaws.