Extropia WebBanner Input Validation Vulnerability
BID:1347
Info
Extropia WebBanner Input Validation Vulnerability
| Bugtraq ID: | 1347 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Jun 14 2000 12:00AM |
| Updated: | Jun 14 2000 12:00AM |
| Credit: | First posted to Bugtraq by Johannes Westerink <[email protected]> on June 14, 2000. |
| Vulnerable: |
Extropia WebBanner 4.0 |
| Not Vulnerable: | |
Discussion
Extropia WebBanner Input Validation Vulnerability
Extropia WebBanner is an open-sourced perl cgi utility that allows a webmaster to display banners randomly. One of its components, index.cgi, is vulnerable to an input validation vulnerability. It passes a user-inputtable http variable (html_file) to the open() call without checks for metacharacters. As a result, it is possible to execute arbitrary commands on the target host and gain remote access with the priviliges of the webserver.
Extropia WebBanner is an open-sourced perl cgi utility that allows a webmaster to display banners randomly. One of its components, index.cgi, is vulnerable to an input validation vulnerability. It passes a user-inputtable http variable (html_file) to the open() call without checks for metacharacters. As a result, it is possible to execute arbitrary commands on the target host and gain remote access with the priviliges of the webserver.
Exploit / POC
Extropia WebBanner Input Validation Vulnerability
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution / Fix
Extropia WebBanner Input Validation Vulnerability
Solution:
The following is taken directly from the BugTraq post regarding this issue, it is a solution provided by the author of the post:
Solution:
~~~~~~~~~~
A snippet of script index.cgi at line 195 without comments:
>---[ line 195 + ]-------------------------------------------------
open (HTML_FILE, "$html_file") ||
&CgiDie (" blablabla... ");
while (<HTML_FILE>)
{
if (/\<!--IMG GOES HERE--\>/)
{
print qq!
<A HREF = "$random_url">
<IMG SRC = "$image_url/$random_image"></A>!;
} else
print "$_";
}
}
close (HTML_FILE);
<------------------------------------------------------------------
above snippet is not save code, to make them safier:
Good code must be seems like this:
>---[ change above snippet to this snippet! ]----------------------
$html_file =~ s/\%([\d\w]{2})/pack('c',hex($1))/gie;
if( $html_file =~ /\.\.\/|\|/ )
{
&CgiDie( "Not allowed... " );
} else {
open (HTML_FILE, "$html_file") ||
&CgiDie ( "I'm sorry, but I was unable to open the requested
HTML file in the Insert Random Banner Into Page routine. The
value I have is $html_file. Would you please check the path and
the permissions for the file." );
while (<HTML_FILE>)
{
if (/\<!--IMG GOES HERE--\>/)
{
print qq!
<A HREF = "$random_url">
<IMG SRC = "$image_url/$random_image"></A>!;
} else
print "$_";
}
}
close (HTML_FILE);
}
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution:
The following is taken directly from the BugTraq post regarding this issue, it is a solution provided by the author of the post:
Solution:
~~~~~~~~~~
A snippet of script index.cgi at line 195 without comments:
>---[ line 195 + ]-------------------------------------------------
open (HTML_FILE, "$html_file") ||
&CgiDie (" blablabla... ");
while (<HTML_FILE>)
{
if (/\<!--IMG GOES HERE--\>/)
{
print qq!
<A HREF = "$random_url">
<IMG SRC = "$image_url/$random_image"></A>!;
} else
print "$_";
}
}
close (HTML_FILE);
<------------------------------------------------------------------
above snippet is not save code, to make them safier:
Good code must be seems like this:
>---[ change above snippet to this snippet! ]----------------------
$html_file =~ s/\%([\d\w]{2})/pack('c',hex($1))/gie;
if( $html_file =~ /\.\.\/|\|/ )
{
&CgiDie( "Not allowed... " );
} else {
open (HTML_FILE, "$html_file") ||
&CgiDie ( "I'm sorry, but I was unable to open the requested
HTML file in the Insert Random Banner Into Page routine. The
value I have is $html_file. Would you please check the path and
the permissions for the file." );
while (<HTML_FILE>)
{
if (/\<!--IMG GOES HERE--\>/)
{
print qq!
<A HREF = "$random_url">
<IMG SRC = "$image_url/$random_image"></A>!;
} else
print "$_";
}
}
close (HTML_FILE);
}
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].