Vulnerabilities: CGIscript.net - csPassword.cgi
Results 1 to 3 of 3

Thread: Vulnerabilities: CGIscript.net - csPassword.cgi

  1. #1
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584

    Exclamation Vulnerabilities: CGIscript.net - csPassword.cgi

    Date : May 29, 2002
    Product : csPassword.cgi

    Vendor : WWW.CGIscript.NET, LLC.
    Homepage : http://www.cgiscript.net/



    DISCUSSION:
    ---------------------------------------------------------------------
    From the website "An automated system for creating andmaintaining apache style .htaccess files to password protect website directories."

    The following issues have been found:

    1) because .htpasswd files are generated in the same folder as the .htaccess files, a web accessible folder, it may be possible for a user who has a password for the protected folder to download the .htpasswd file with the usernames and passwords (crypted) of all the other users. Note: The web server would have to not otherwise restrict access to .ht* files (some do, some don't).

    2) When the program displays an error, it also display a lot of debug information, including form input, environment values, etc. There's at least a "file path disclosure" problem there, if not more. Sample error URL: csPassword.cgi?command=remove (They call the &remove() function but don't define it)

    3) For someone who has login access to the csPassword program, it would be possible to insert additional directives to the .htaccess file that is generated.
    Allowing them to potentially do funky things to the web server (redirect traffic, set scripts or data files as viewable text files, make aliases to other non web folders, etc, etc). This is done by specifying nextlines and additional chars in the title field on the edit page.

    4) When the program saves, delete, etc it's data file it creates a "password.cgi.tmp" file that contains all the usernames and (un-encrypted) passwords. Depending on your setup, this file may be readable and someone hammering your server with requests may be able to
    download it before the program can rename it over the original. This may be tough, but possible. Note: It looks as if a number of cgiscript.net's other scripts also have this problem.


    EXPLOIT:
    ---------------------------------------------------------------------
    An easy way to enter nextlines into the text field on the edit page is to have your browser turn it into a textbox for you. In internet explorer, you can do that by pasting this into the address bar:
    javascript:void(document.form1.title.outerHTML="");


    SOLUTION
    ---------------------------------------------------------------------
    Make sure you only allow trusted users to use the csPassword application and make sure your web server in configured to deny requests for .ht* and *.tmp files. Additionally, password protecting the directory the csPassword program is in will prevent a
    non-authorized user from viewing debug data (#2) or downloading tmp files.


    VENDOR RESPONSE
    ---------------------------------------------------------------------
    Vendor was quick to respond. Effected users can receive a patch from Vendor on request.

    DISCLAIMER
    ---------------------------------------------------------------------
    The information within this document may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any consequences whatsoever arising out of or in connection with the use or spread of this information. Any use of this
    information lays within the user's responsibility.


    CREDIT
    ---------------------------------------------------------------------
    Special thanks to Michael J McCafferty
    (mike@m5computersecurity.com) for his assistance with this advisory.


    Source: http://www.xatrix.org/article1568.html

  2. #2
    Banned
    Join Date
    Mar 2002
    Posts
    520
    Thanks. Is it just me or are there way to many exploits for cgi scripts in sites..

  3. #3
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584
    lol well cgi is the mail key to gain controll on websites..

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •