Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » multiple CGIscript.net scripts - Remote Code Execution

multiple CGIscript.net scripts - Remote Code Execution

by Nikola Strahija on April 9th, 2002 CGIScript.net distributes a number of free and commercial perl cgi scripts developed by Mike Barone and Andy Angrick. Last month a Remote Code Execution vulnerability was found in their csSearch product, further research and information provided by the Vendor has revealed that four (4) additional scripts have the same vulnerability.


These scripts are:

csGuestBook - guestbook program
csLiveSupport - web based support/chat program
csNewsPro - website news updater/editor
csChatRBox - web based chat script

These scripts stores their configuration data as perl
code in a file called "setup.cgi" which is eval()uated
by the script to load it back into memory at runtime.
Due to an Access Validation Error, any user can cause
configuration data to be written to "setup.cgi" and
therefore execute arbitrary perl code on the server.


EXPLOIT:
---------------------------------------------------------------------
Configuration data is (typically) saved with the
following URL.

scriptname.cgi?command=savesetup&setup=PERL_CODE_HERE

Note that any perl code would need to be URL encoded.
A malicious user could essentially execute any
arbitrary perl code or shell commands. Only
csChatRBox was tested for this vulnerability, however,
Vendor stated the other scripts were also affected.

SysAdmins wanting to scan for affected scripts should
check for the following filenames: "csGuestbook.cgi",
"csLiveSupport.cgi", "csNews.cgi", "csChatRBox.cgi".


IMPACT:
---------------------------------------------------------------------
Because of the high number of users who are using
CGIscript.net scripts (over 17,000 csSearch users
alone according to the website) and the fact that
search engines can easily be used to identify sites
with the unique "csScriptName.cgi" script names, the
risk posed by these flaws is very high indeed.

Additionally, because the Vendor does not post version
numbers or changlogs (that we could find) on their
website or with their software, and because the
patched version of csChatRBox has the same version
number of the vulnerable version (1.0), it may make it
more difficult for users to determine whether or not
their script is vulnerable or not.


VENDOR RESPONSE
---------------------------------------------------------------------
Vendor has released updated versions of all the
affected scripts to patch the flaws.

Vendor was notified of the problem with csChatRBox on
Mar 28th. At that time they stated that they were
already aware that the problem and that 4 more scripts
(besides csSearch) were affected .. csGuestbook,
csLiveSupport, csChatRBox, and csNewsPro.

Vendor posted a notice on their site about the
csChatRBox script but stated that because they were
contacting each customer individually for the
purchased scripts they did not feel a web site posting
was warranted.


VENDOR HISTORY:
---------------------------------------------------------------------
March 25, 2002 - csSearch.cgi - Remote Code Execution
http://online.securityfocus.com/archive/1/264169


DISCLAIMER
---------------------------------------------------------------------
The information within this document may change
without notice. Use of this information constitutes
acceptance for use in an AS IS condition. There are NO
warranties with regard to this information. In no
event shall the author be liable for any consequences
whatsoever arising out of or in connection with the
use or spread of this information. Any use of this
information lays within the user's responsibility.


FEEDBACK:
---------------------------------------------------------------------
If anyone has any other CGIscript.net scripts they'd
like me to take a look at, just drop me a line at
[email protected]


__________________________________________________
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://taxes.yahoo.com/


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »