eXtropia bbs_forum.cgi Remote Arbitrary Command Execution Vulnerability
BID:2177
Info
eXtropia bbs_forum.cgi Remote Arbitrary Command Execution Vulnerability
| Bugtraq ID: | 2177 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | Jan 07 2001 12:00AM |
| Updated: | Jan 07 2001 12:00AM |
| Credit: | Reported to bugtraq by "[email protected]" <[email protected]> on 7 Jan, 2001. |
| Vulnerable: |
Extropia bbs_forum.cgi 1.0 |
| Not Vulnerable: | |
Exploit / POC
eXtropia bbs_forum.cgi Remote Arbitrary Command Execution Vulnerability
scott <[email protected]> provided the following example:
www.web*site.com/cgi-bin/bbs_forum.cgi?forum=<forum_name>&read=../../../../../../etc/hosts.allow
note: The section: <forum_name> must be a valid forum on the webserver.
scott <[email protected]> provided the following example:
www.web*site.com/cgi-bin/bbs_forum.cgi?forum=<forum_name>&read=../../../../../../etc/hosts.allow
note: The section: <forum_name> must be a valid forum on the webserver.
Solution / Fix
eXtropia bbs_forum.cgi Remote Arbitrary Command Execution Vulnerability
Solution:
Excerpted from CGI Security Advisory #3.1:
Patch: http://www.extropia.com/hacks/bbs_security.html
If you have made extensive modifications to bbs_forum.cgi and do not wish to start over from scratch, search for the line at the start of bbs_forum.cgi that says
&ReadParse;
And insert afterwards the following:
if ($in{'read'} && $in{'read'} !~ /^\d+-\d+\.msg$/i)
{
print "Invalid Message #";
die("Invalid Message # provided: " .
$in{'read'});
}
if ($in{'reply_to_message'} &&
$in{'reply_to_message'} !~ /^\d+-\d+\.msg$/i) {
print "Invalid Reply To Message #";
die("Invalid Reply To Message # provided: " .
$in{'reply_to_message'});
}
This code assures the script that the message file
form variables can only consist of the strict filename format of digits
followed by a hyphen followed by some digits followed by the literal
string ".msg".
We recommend updating your script as soon as possible.
Special thanks to cgisecurity.com for pointing our the issue.
Solution:
Excerpted from CGI Security Advisory #3.1:
Patch: http://www.extropia.com/hacks/bbs_security.html
If you have made extensive modifications to bbs_forum.cgi and do not wish to start over from scratch, search for the line at the start of bbs_forum.cgi that says
&ReadParse;
And insert afterwards the following:
if ($in{'read'} && $in{'read'} !~ /^\d+-\d+\.msg$/i)
{
print "Invalid Message #";
die("Invalid Message # provided: " .
$in{'read'});
}
if ($in{'reply_to_message'} &&
$in{'reply_to_message'} !~ /^\d+-\d+\.msg$/i) {
print "Invalid Reply To Message #";
die("Invalid Reply To Message # provided: " .
$in{'reply_to_message'});
}
This code assures the script that the message file
form variables can only consist of the strict filename format of digits
followed by a hyphen followed by some digits followed by the literal
string ".msg".
We recommend updating your script as soon as possible.
Special thanks to cgisecurity.com for pointing our the issue.
References
eXtropia bbs_forum.cgi Remote Arbitrary Command Execution Vulnerability
References:
References: