Advisories : a remote input validation error in the dcforum cgi script

main menu

- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news

discussions

- read forum
- new topic
- search

meetings

- meetings list
- recent additions
- add your info

top 100 sites

- visit top sites
- sign up now
- members

webmasters

- add your url
- add domain
- search box
- link to us

projects

- our projects
- free email

m4d network

- security software
- secureroot
- m4d.com

Home : Advisories : a remote input validation error in the dcforum cgi script

Title:	a remote input validation error in the dcforum cgi script
Released by:	cgisecurity.com
Date:	15th November 2000
Printable version:	Click here

The staff of cgisecurity.com have found a remote input validation

error in the dcforum cgi script.



NOTE: The vendor was very quick to issue a patch on this and becuase of

this i decided to release it so soon after finding it.

Below is a paste of the advisory.





-zenomorph







                        [Cgi Security Advisory #2]

                          admin@cgisecurity.com

                       DCForum Major security issues







Found

November 16th 2000

11:30am



Vendor contacted

1:20am

Vendor patch issued

1:44am





Public release

November 2000







Script Effected: DCForum

Price: $69 Personal, $99 Commercial



Versions effected:

All versions of DCForum

1.0 - 6.0(Current)





Platforms:

UNIX, Linux, Windows NT,

and Windows 2000







Vendor

http://www.dcscripts.com

Patch

http://www.dcscripts.com/dcforum/dcfNews/124.html













1. Impact



Any file can be read with the permissions of user nobody(or webserver)

Posible root comprimise in /dcforum/dcboard.cgi script.Command execution

is not allowed. (Read Only) This has only been tested on unix and linux

versions and is unknown if windows versions are effected.





2. Damage caused



It causes the deletion of dcboard.cgi if you ask it to view its own

source.

Cause for this is unknown as of now since I do not have the source.



For the above reason I cannot release the exploit itself at this point in

time. I would release it but it caused to much damage by "clicking on a

link". If it simply gave you passwd file that would be one thing but it

deleted a data and perhaps more not know of yet.







3. Fixes



The vendor has been contacted about this serious security problem.

A patch was issues within 1 hour of the finding of this hole.

This vendor was quick to respond.





http://www.dcscripts.com/dcforum/dcfNews/124.html

Below is a copy of the vendor patch as issued on there website.

********************************PATCH**************************************









1. DCForum Security Bug!!! Nov-14-00 01:44 AM

        DCForum Security Alert!!! Affects all versions of DCForum.

        ==================================



        An anonymous user has reported a security alert. Please make this

update

        as soon as possible.



        FIX - In dcboard.cgi and dcadmin.cgi, after



        $r_in = \%in;



        ADD



        $r_in->{'forum'} =~ s/\W//g;



        Please apply this patch as soon as possible.



        David



















Published to the Public November 2000

Copyright September 2000 Cgisecurity.com