Vendor  : Markus Triska

URL     : http://triskam.virtualave.net/cginews.html 

Version : 1.07 And Possible Earlier & CGIForum 1.09

Risk    : Weak Encryption & Info Disclosure





Description:

CGINews is a multi-user Web site news posting system written in Perl. 

Main features include: adding, updating, and deleting news entries, 

multi-user functionality, sections, access levels, logs, 

highly-configurable layout, file upload, binary attachments and more.





Weak Password Encryption:

The CGI News program does not use DES, MD5 or any other one way crypt

algorithm. It instead uses a weak, decryptable method. Below is a script

that can easily decrypt the passwords found in the programs *.pwl files.

This issue is also present in CGIForum 1.09 by Markus Triska and can be 

used to decode CGIForum password files as well.



http://www.gulftech.org/vuln/cnc.txt 







Information Disclosure Vulnerability:

By default the users log files are viewable. username/username.log The only

files not viewable by default are the .pwl files



Sat Dec 13 21:06:37 2003: jeiar changed password.

Sat Dec 13 21:10:21 2003: jeiar changed E-Mail/Syntax: test@blah/jeiar. 

Sat Dec 13 21:10:54 2003: jeiar tried to change password.

Sat Dec 13 21:13:59 2003: jeiar uploaded file: C:\cmd.exe

Sat Dec 13 21:31:38 2003: jeiar uploaded file: C:\cnc.pl





Solution:

You can add your own DES or MD5 encryption if you are familiar with PERL, and to

solve the logfile problem simply add a .htaccess file that makes the directory

not viewable. For example



AuthType Basic

AuthName "No access"

AuthUserFile .htnopasswd

AuthGroupFile /dev/null

Require valid-user



The author plans on including this type of .htaccess file in future versions, but 

does not have any plans on changing or strengthening the encryption method.



Credits:

Credits go to JeiAr of the GulfTech Security Research Team. 

http://www.gulftech.org