Gossamer Threads DBMan Information Leakage Vulnerability
BID:1178
Info
Gossamer Threads DBMan Information Leakage Vulnerability
| Bugtraq ID: | 1178 |
| Class: | Design Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | May 05 2000 12:00AM |
| Updated: | May 05 2000 12:00AM |
| Credit: | Posted to Bugtraq in an advisory by Black Watch Labs <[email protected]> on May 5, 2000. |
| Vulnerable: |
Gossamer Threads DBMan 2.0.4 |
| Not Vulnerable: | |
Discussion
Gossamer Threads DBMan Information Leakage Vulnerability
Requesting an invalid database file from a web server implementing Gossamer Threads DBMan scripts will return a CGI error message containing environmental variables to a remote user without any authorization. The parameters displayed include the local document root path, server administrator account name, web server software, platform, etc.
Requesting an invalid database file from a web server implementing Gossamer Threads DBMan scripts will return a CGI error message containing environmental variables to a remote user without any authorization. The parameters displayed include the local document root path, server administrator account name, web server software, platform, etc.
Exploit / POC
Gossamer Threads DBMan Information Leakage Vulnerability
http://target/scripts/dbman/db.cgi?db=invalid-db
http://target/scripts/dbman/db.cgi?db=invalid-db
Solution / Fix
Gossamer Threads DBMan Information Leakage Vulnerability
Solution:
Gossamer Threads has released the following solution. Verify that $db_debug is turned off in the configuration file and replace cgierr in the db.cgi file with the following:
sub cgierr {
# --------------------------------------------------------
# Displays any errors and prints out FORM and ENVIRONMENT
# information. Useful for debugging.
if (!$html_headers_printed) {
print "Content-type: text/html\n\n";
$html_headers_printed = 1;
}
print "DBMan encountered an internal error. ";
if ($db_debug) {
print
"</font></p>
<div align="left"><pre><font size="3"
face="Arial, Helvetica, sans-serif">\n\nCGI ERROR\n==========================================\n";
$_[0] and print "Error Message : $_[0]\n";
$0 and print "Script Location : $0\n";
$] and print "Perl Version : $]\n";
$db_setup and print "Setup File : $db_setup.cfg\n";
$db_userid and print "User ID : $db_userid\n";
$db_uid and print "Session ID : $db_uid\n";
print "\nForm Variables\n-------------------------------------------\n";
foreach $key (sort keys %in) {
my $space = " " x (20 - length($key));
print "$key$space: $in{$key}\n";
}
print "\nEnvironment Variables\n-------------------------------------------\n";
foreach $env (sort keys %ENV) {
my $space = " " x (20 - length($env));
print "$env$space: $ENV{$env}\n";
}
print "\n</font></pre>
</div><p><font size="3"
face="Arial, Helvetica, sans-serif">"; } else {
print "Please enable debugging to view."; }
exit -1; }
Solution:
Gossamer Threads has released the following solution. Verify that $db_debug is turned off in the configuration file and replace cgierr in the db.cgi file with the following:
sub cgierr {
# --------------------------------------------------------
# Displays any errors and prints out FORM and ENVIRONMENT
# information. Useful for debugging.
if (!$html_headers_printed) {
print "Content-type: text/html\n\n";
$html_headers_printed = 1;
}
print "DBMan encountered an internal error. ";
if ($db_debug) {
"</font></p>
<div align="left"><pre><font size="3"
face="Arial, Helvetica, sans-serif">\n\nCGI ERROR\n==========================================\n";
$_[0] and print "Error Message : $_[0]\n";
$0 and print "Script Location : $0\n";
$] and print "Perl Version : $]\n";
$db_setup and print "Setup File : $db_setup.cfg\n";
$db_userid and print "User ID : $db_userid\n";
$db_uid and print "Session ID : $db_uid\n";
print "\nForm Variables\n-------------------------------------------\n";
foreach $key (sort keys %in) {
my $space = " " x (20 - length($key));
print "$key$space: $in{$key}\n";
}
print "\nEnvironment Variables\n-------------------------------------------\n";
foreach $env (sort keys %ENV) {
my $space = " " x (20 - length($env));
print "$env$space: $ENV{$env}\n";
}
print "\n</font></pre>
</div><p><font size="3"
face="Arial, Helvetica, sans-serif">"; } else {
print "Please enable debugging to view."; }
exit -1; }
References
Gossamer Threads DBMan Information Leakage Vulnerability
References:
References:
- DBMan Product Home Page (Gossamer Threads)