[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : bbs_forum.cgi vulnerability

Title: bbs_forum.cgi vulnerability
Released by: cgisecurity.com
Date: 9th January 2001
Printable version: Click here
The staff at cgisecurity.com have found a security issue with a

forum script that is widley used.



Below is the advisory along with the vendor patch.



-zenomorph



                                        [Cgi Security Advisory #3.1]

                                          admin@cgisecurity.com

                                               bbs_forum.cgi







Found

January 3rd 2001



Vendor Contacted

January 3rd 2001



Public Release

January 7th 2001







Script Effected: bbs_forum.cgi

Free



Versions Effected:

1.0

(Others unknown)



Platforms

UNIX



Vendor

http://www.extropia.com

Patch

http://www.extropia.com/hacks/bbs_security0.html









1. Impact



Any file can be read with the permissions of user nobody(or webserver).

Possible root comprimise in bbs_forum.cgi script. Command execution is

allowed and therefore shell spawning is possible. This has been tested on

unix and linux systems only and it is unknown if windows versions exist

and/or are effected.



One thing to be noted about this hole is that perl was in taint mode, and

still allowed files to be read, and commands to be executed. This was

not originally intended. This is proof that perl -t is not always

enough.



Example:



www.host.com/cgi-bin/bbs_forum.cgi?forum=&read=../bbs_forum.cgi

Will grab the scripts own sourcecode.

Note: In order for this hole to work a valid forum name must be used,

so simply trying to call read= only may not work.



2. Fixes



The vendor has been contacted about this serious security problem.

Please visit the vendor's website for patches and other important

information.







3. Attached Vendor Patch



Note: This is a patch for people who know what they are doing.

Please visit http://www.extropia.com/hacks/bbs_security0.html

for information on upgrading.







********************* Vendor patch snippet **************************



If you have made extensive modifications to bbs_forum.cgi and do not wish

to start over from scratch, search for the line at the start of

bbs_forum.cgi that says



                      &ReadParse;



                      And insert afterwards the following:



                      if ($in{'read'} && $in{'read'} !~ /^\d+-\d+\.msg$/i)

{

                          print "Invalid Message #";

                          die("Invalid Message # provided: " .

                                  $in{'read'});

                      }

                      if ($in{'reply_to_message'} &&

$in{'reply_to_message'} !~ /^\d+-\d+\.msg$/i) {

                          print "Invalid Reply To Message #";

                          die("Invalid Reply To Message # provided: " .

                                  $in{'reply_to_message'});

                      }



This code assures the script that the message file

form variables can only consist of the strict filename format of digits

followed by a hyphen followed by some digits followed by the literal

string ".msg".



We recommend updating your script as soon as possible.

Special thanks to cgisecurity.com for pointing our the issue.





**************************** End Patch ******************************



Published to the Public January 2001

Copyright January 2001 Cgisecurity.com








(C) 1999-2000 All rights reserved.