Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » CGIscript.net - csPassword.cgi - Multiple Vulnerabilities

CGIscript.net - csPassword.cgi - Multiple Vulnerabilities

by Nikola Strahija on May 30th, 2002 Date : May 29, 2002 Product : csPassword.cgi Vendor : WWW.CGIscript.NET, LLC. Homepage : http://www.cgiscript.net/


DISCUSSION:
---------------------------------------------------------------------
From the website "An automated system for creating and
maintaining apache style .htaccess files to password
protect website directories."

The following issues have been found:

1) because .htpasswd files are generated in the same
folder as the .htaccess files, a web accessible
folder, it may be possible for a user who has a
password for the protected folder to download the
.htpasswd file with the usernames and passwords
(crypted) of all the other users. Note: The web
server would have to not otherwise restrict access to
.ht* files (some do, some don't).

2) When the program displays an error, it also display
a lot of debug information, including form input,
environment values, etc. There's at least a "file
path disclosure" problem there, if not more. Sample
error URL: csPassword.cgi?command=remove (They call
the &remove() function but don't define it)

3) For someone who has login access to the csPassword
program, it would be possible to insert additional
directives to the .htaccess file that is generated.
Allowing them to potentially do funky things to the
web server (redirect traffic, set scripts or data
files as viewable text files, make aliases to other
non web folders, etc, etc). This is done by
specifying nextlines and additional chars in the title
field on the edit page.

4) When the program saves, delete, etc it's data file
it creates a "password.cgi.tmp" file that contains all
the usernames and (un-encrypted) passwords. Depending
on your setup, this file may be readable and someone
hammering your server with requests may be able to
download it before the program can rename it over the
original. This may be tough, but possible.
Note: It looks as if a number of cgiscript.net's
other scripts also have this problem.


EXPLOIT:
---------------------------------------------------------------------
An easy way to enter nextlines into the text field on
the edit page is to have your browser turn it into a
textbox for you. In internet explorer, you can do
that by pasting this into the address bar:

javascript:void(document.form1.title.outerHTML="");


SOLUTION
---------------------------------------------------------------------
Make sure you only allow trusted users to use the
csPassword application and make sure your web server
in configured to deny requests for .ht* and *.tmp
files. Additionally, password protecting the
directory the csPassword program is in will prevent a
non-authorized user from viewing debug data (#2) or
downloading tmp files.


VENDOR RESPONSE
---------------------------------------------------------------------
Vendor was quick to respond. Effected users can
receive a patch from Vendor on request.

DISCLAIMER
---------------------------------------------------------------------
The information within this document may change
without notice. Use of this information constitutes
acceptance for use in an AS IS condition. There are NO
warranties with regard to this information. In no
event shall the author be liable for any consequences
whatsoever arising out of or in connection with the
use or spread of this information. Any use of this
information lays within the user's responsibility.


CREDIT
---------------------------------------------------------------------
Special thanks to Michael J McCafferty
([email protected]) for his assistance with
this advisory.




Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »