Users login

Create an account »


Users login

Home » Hacking News » Multiple cgihtml vulnerabilities

Multiple cgihtml vulnerabilities

by Nikola Strahija on January 8th, 2003 According to the authors website, it has potentially been used in the implementation of everything from individual home pages to large e-commerce sites.

cgihtml is a collection of routines for parsing World Wide Web (WWW)
Common Gateway Interface (CGI) input and outputting HyperText Markup
Language (HTML).

According to the authors website, it has potentially been used in the
implementation of everything from individual home pages to large
e-commerce sites.

It was written by Eugene Eric Kim , also the
publisher of the 'CGI Developer's Guide'.


These vulnerabilities were discovered in the current release of
cgihtml, version 1.69.

== Unsafe temporary file usage

The most obvious error is that, when handling form uploads (content
type 'multipart/form-data'), cgihtml attempts to create a file in the
system /tmp directory (or other directory if configured) using the
name provided by the user agent, without doing any checks on the
filename. This allows the useragent to trivially write to any file
outside /tmp by using a filename with a path containing '../'.

== Unsafe temporary file creation

The way the temporary file is created is also insecure and could be
exploited locally (using symlink attacks or similar).

== Unsafe interpretation of content-length

cgihtml implicitly trusts the content length specified by the user
agent, and allocates memory based on that value in which to store the
post data. This is a trivial DOS.

== Unsafe memory management and assumption of input structure

I have noticed numerous points throughout the code where input is
handled insecurely, or the input format is assumed, which can allow
the user agent to cause bad memory accesses and most likely buffer
overflows. My brief investigation focused on the 'multipart/form-data'
processing, but I am assuming similar problems may exist outside this
section of the code.

As a example, it is assumed that header lines in multipart sections
will be structured such that the name of the section can be read
beginning at the 38th character of the line, and not attempt is made
to verify the buffer contains that amount of data.

== Notification

I have attempted to contact the author via his email address on the
10/12/2002, but have not received any reply.

== Exploit

I'm not going to provide any exploit code to take advantage of these
issues. However, below is an example user agent request that triggers
the first issue mentioned (unsafe temporary file usage).

=====request start
User-Agent: Haxor
Content-Type: multipart/form-data; boundary=#123456789#multipart#boundary#1234567890#
Content-Length: 282

Content-Disposition: form-data; name="Haxor"; filename="../../../tmp/haxor.html"


This page should not be here

=====request end

Best Regards,
Chris Leishman

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »