Name : wwwisis remote command execution and get files Software Package : wwwisis possibly affected : JavaISIS and other tools based on wwwisis Vendor Homepage : http://www.bireme.br/isis/I/wwwi.htm Vulnerable Versions: 3.45 verified, probably others Platforms : Linux verified, probably others Vulnerability Type : Input Validation Error Vendor Contacted : 28 Feb 2002 Vendor Replied : 01 Mar 2002 CONTACT INFORMATION =============================================================================== Name : Klaus Ripke E-mail : krip@openisis.org Vendor contact name : Abel Laerte Packer Vendor contact e-mail : abel@brm.bireme.br TECHNICAL INFO =============================================================================== Introduction: wwwisis runs as cgi to query mostly bibliographical databases. Deployed on probably some hundred systems or more. While this vuln is probably currently not being exploited, it's possible to install workarounds right now, therefore this information is published. Summary: In common setups of wwwisis, query parameters can be forged to have wwwisis execute any (shell) command and display any readable file as allowed for the user of the cgi process. Vulnerability can be avoided with careful setup. Description: Input parameters from query string are not checked for bad input. In common plain-vanilla setups such as the examples in the manual, it is possible to have the process execute any format as sent by the remote user. The formatting language has some too powerful functions. There is also an alternate attack possibility abusing PATH_INFO. Impact: Ability to execute any command and get any file as allowed for the cgi process. Exploits: Since there is not yet a fix published, and the vuln is probably currently not being exploited, details are to follow at a later time. Workaround: Avoid wwwisis being called directly -- wrap it up in a perl -t script. Wipe out any suspicious stuff from query params, clean up the ENV, then exec wwwisis with a list of params. Read the perlsec manpage. Vendor Status: Bireme will check it out.
