COMMAND

	csPassword.cgi (from CGIscript.net) multiple vulnerabilities

SYSTEMS AFFECTED

	current version

PROBLEM

	Steve  Gustin  [stegus1@yahoo.com],  with  assistance   of   Michael   J
	McCafferty [mike@m5computersecurity.com] found following.
	

	

	From the website \"An automated  system  for  creating  and  maintaining
	apache style .htaccess files to password protect website directories.\"
	

	The following issues have been found:
	

	1) because .htpasswd files are generated  in  the  same  folder  as  the
	.htaccess files, a web accessible folder, it may be possible for a  user
	who has a password for the protected folder to  download  the  .htpasswd
	file with the usernames and passwords (crypted) of all the other  users.
	Note: The web server would have to  not  otherwise  restrict  access  to
	.ht* files (some do, some don\'t).
	

	2) When the program displays an error, it also display a  lot  of  debug
	information, including form input, environment values, etc. There\'s  at
	least a \"file path disclosure\" problem  there,  if  not  more.  Sample
	error URL: csPassword.cgi?command=remove (They  call  the  &remove()
	function but don\'t define it)
	

	3) For someone who has login access to the csPassword program, it  would
	be possible to insert additional directives to the .htaccess  file  that
	is generated. Allowing them to potentially do funky things  to  the  web
	server (redirect traffic, set scripts or data  files  as  viewable  text
	files, make aliases to other non web folders, etc, etc).  This  is  done
	by specifying nextlines and additional chars in the title field  on  the
	edit page.
	

	4) When the program saves, delete, etc it\'s  data  file  it  creates  a
	\"password.cgi.tmp\"  file  that  contains   all   the   usernames   and
	(un-encrypted) passwords. Depending on your  setup,  this  file  may  be
	readable and someone hammering your server with requests may be able  to
	download it before the program can rename it  over  the  original.  This
	may  be  tough,  but  possible.  Note:  It  looks  as  if  a  number  of
	cgiscript.net\'s other scripts also have this problem.
	

	

	 Exploit

	 =======

	

	An easy way to enter nextlines into the text field on the edit  page  is
	to have your browser turn  it  into  a  textbox  for  you.  In  internet
	explorer, you can do that by pasting this into the address bar:
	

	

	javascript:void(document.form1.title.outerHTML=\"<textarea

	name=title></textarea>\");

	

	

	

SOLUTION

	Make  sure  you  only  allow  trusted  users  to  use   the   csPassword
	application and  make  sure  your  web  server  in  configured  to  deny
	requests for .ht* and *.tmp  files.  Additionally,  password  protecting
	the  directory  the  csPassword   program   is   in   will   prevent   a
	non-authorized user from viewing debug  data  (#2)  or  downloading  tmp
	files.